CVE-2021-45463

Опубликовано: 15 дек. 2021

Источник: redhat

CVSS3: 7.8

EPSS Низкий

Описание

load_cache in GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load. NOTE: GEGL releases before 0.4.34 are used in GIMP releases before 2.10.30; however, this does not imply that GIMP builds enable the vulnerable feature.

Due to the use of the system command in the Magick-Load op used by gegl an attacker is able to craft a command line path that is able to lead to the execution of arbitrary shell commands that impacts availability, confidentiality and integrity.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 6	gegl	Out of support scope
Red Hat Enterprise Linux 8	gegl	Affected
Red Hat Enterprise Linux 8	gimp:flatpak/gegl	Affected
Red Hat Enterprise Linux 9	gegl	Not affected
Red Hat Enterprise Linux 7	gegl	Fixed	RHSA-2022:0162	18.01.2022
Red Hat Enterprise Linux 8	gegl04	Fixed	RHSA-2022:0177	19.01.2022
Red Hat Enterprise Linux 8.2 Extended Update Support	gegl04	Fixed	RHSA-2022:0184	19.01.2022
Red Hat Enterprise Linux 8.4 Extended Update Support	gegl04	Fixed	RHSA-2022:0178	19.01.2022

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=2035383gegl: shell expansion via a crafted pathname

EPSS

Процентиль: 81%

0.01608

Низкий

7.8 High

CVSS3

Связанные уязвимости

CVE-2021-45463

CVSS3: 7.8

ubuntu

больше 3 лет назад

CVE-2021-45463

CVSS3: 7.8

nvd

больше 3 лет назад

CVE-2021-45463

CVSS3: 7.8

debian

больше 3 лет назад

load_cache in GEGL before 0.4.34 allows shell expansion when a pathnam ...

openSUSE-SU-2021:4210-1

suse-cvrf

больше 3 лет назад

Security update for gegl

openSUSE-SU-2021:4209-1

suse-cvrf

больше 3 лет назад

Security update for gegl

EPSS

Процентиль: 81%

0.01608

Низкий

7.8 High

CVSS3