Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "python3-pil.imagetk-dbg": "7.0.0-4ubuntu0.8", "python3-pil-dbg": "7.0.0-4ubuntu0.8", "python-pil-doc": "7.0.0-4ubuntu0.8", "python3-pil": "7.0.0-4ubuntu0.8", "python3-pil.imagetk": "7.0.0-4ubuntu0.8" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "python3-pil.imagetk-dbgsym": "9.0.1-1ubuntu0.2", "python3-pil.imagetk": "9.0.1-1ubuntu0.2", "python-pil-doc": "9.0.1-1ubuntu0.2", "python3-pil": "9.0.1-1ubuntu0.2", "python3-pil-dbgsym": "9.0.1-1ubuntu0.2" } ] }