CVE-2020-29599

Опубликовано: 07 дек. 2020

Источник: redhat

CVSS3: 7.3

Описание

ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.

A flaw was found in ImageMagick. The -authenticate option is mishandled allowing user-controlled password set for a PDF file to possibly inject additional shell commands via coders/pdf.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Отчет

Although ImageMagick is shipped as bundled dependency of Inkscape, the further package is not affected as the primary usage for ImageMagick in Inkscape is for bitmap filters thus not exposing the affected code path.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 5	ImageMagick	Out of support scope
Red Hat Enterprise Linux 6	ImageMagick	Out of support scope
Red Hat Enterprise Linux 8	inkscape	Not affected
Red Hat Enterprise Linux 9	ImageMagick	Not affected
Red Hat Enterprise Linux 7	ImageMagick	Fixed	RHSA-2021:0024	05.01.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-77

https://bugzilla.redhat.com/show_bug.cgi?id=1907456ImageMagick: Shell injection via PDF password could result in arbitrary code execution

7.3 High

CVSS3

Связанные уязвимости

CVE-2020-29599

CVSS3: 7.8

ubuntu

около 5 лет назад

CVE-2020-29599

CVSS3: 7.8

nvd

около 5 лет назад

CVE-2020-29599

CVSS3: 7.8

debian

около 5 лет назад

ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the - ...

GHSA-685x-r4m9-ffxr

CVSS3: 7.8

github

больше 3 лет назад

ELSA-2021-0024

oracle-oval

около 5 лет назад

ELSA-2021-0024: ImageMagick security update (IMPORTANT)

7.3 High

CVSS3