CVE-2022-44268

ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://imagemagick.org/	Product
https://www.metabaseq.com/imagemagick-zero-days/	Exploit Third Party Advisory
https://www.debian.org/security/2023/dsa-5347
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZLLS37P67CMBRML6OCG42GPCKGRCJNV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AINSUL2QBKETGYRPA7XSCMJWLUB44M6S/
https://lists.debian.org/debian-lts-announce/2023/03/msg00008.html

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:imagemagick:imagemagick:7.1.0-49:*:*:*:*:*:*:*

Information

Published : 2023-02-06 13:15

Updated : 2023-03-11 15:15

NVD link : CVE-2022-44268

Mitre link : CVE-2022-44268

JSON object : View

CWE

NVD-CWE-noinfo

Advertisement

Products Affected

imagemagick

imagemagick

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://imagemagick.org/", "name": "https://imagemagick.org/", "tags": ["Product"], "refsource": "MISC"}, {"url": "https://www.metabaseq.com/imagemagick-zero-days/", "name": "https://www.metabaseq.com/imagemagick-zero-days/", "tags": ["Exploit", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://www.debian.org/security/2023/dsa-5347", "name": "DSA-5347", "tags": [], "refsource": "DEBIAN"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZLLS37P67CMBRML6OCG42GPCKGRCJNV/", "name": "FEDORA-2023-6537113d6d", "tags": [], "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AINSUL2QBKETGYRPA7XSCMJWLUB44M6S/", "name": "FEDORA-2023-93389b8a9e", "tags": [], "refsource": "FEDORA"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00008.html", "name": "[debian-lts-announce] 20230311 [SECURITY] [DLA 3357-1] imagemagick security update", "tags": [], "refsource": "MLIST"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-44268", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}}, "publishedDate": "2023-02-06T21:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:imagemagick:imagemagick:7.1.0-49:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-03-11T23:15Z"}