RCE in Python Pillow

CVE-2014-3007

Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py.

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.035 (87.9th percentile) — read the EPSS interpretation.

Affected products

Python Pillow — versions 2.3.0
Pythonware Python_imaging_library
N/a — versions n/a

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

cve@mitre.org (x_refsource_MISC)
cve@mitre.org (x_refsource_MISC)