A vulnerability classified as critical was found in ImageMagick (Image Processing Software) (the affected version is unknown). Affected by this vulnerability is an unknown code of the file /tmp of the component SVG File Handler. The manipulation with an unknown input leads to a memory corruption vulnerability. The CWE definition for the vulnerability is CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. As an impact it is known to affect availability. The summary by CVE is:

A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.

The weakness was shared 03/24/2023 as GHSA-j96m-mjp6-99xr. It is possible to read the advisory at github.com. This vulnerability is known as CVE-2023-1289 since 03/09/2023. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit.

Applying the patch c5b23cbf2119540725e6dc81f4deb25798ead6a4 is able to eliminate this problem. The bugfix is ready for download at github.com.

Productinfo

Type

• Image Processing Software

Name

• ImageMagick

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion