Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-44268

Опубликовано: 06 фев. 2023
Источник: redhat
CVSS3: 6.5

Описание

ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).

An information disclosure vulnerability was found in ImageMagick. This flaw allows an attacker to read arbitrary files from a server when parsing an image and happens when the program is parsing a PNG image. If ImageMagick has permission to read other arbitrary files, the resulting image could have been embedded with contents from another file on the machine after the parsing process.

Меры по смягчению последствий

To mitigate the issue, we recommend setting a security policy that is suitable for your local environment. Add this to your security policy (policy.xml):

<policy domain="path" rights="none" pattern="/etc/*"/> <!-- don't read sensitive paths -->

With above policy, you get:

$ magick logo: -set profile /etc/passwd logo.png magick: attempt to perform an operation not allowed by the security policy `/etc/passwd' @ error/blob.c/FileToBlob/1433.

This can be as draconian as needed. Use /* as the path to prevent reading any file with an absolute path. You can also protect against relative paths:

<policy domain="path" rights="none" pattern="../*"/>

(For more information, refer to the complete issue discussion in external references)

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6ImageMagickOut of support scope
Red Hat Enterprise Linux 7ImageMagickOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=2167594ImageMagick: vulnerable to Information Disclosure when it parses a PNG image

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-44268

CVSS3: 6.5
ubuntu
больше 2 лет назад

ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).

nvd логотип

CVE-2022-44268

CVSS3: 6.5
nvd
больше 2 лет назад

ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).

debian логотип

CVE-2022-44268

CVSS3: 6.5
debian
больше 2 лет назад

ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it ...

github логотип

GHSA-g5qh-f5rv-grcp

CVSS3: 6.5
github
больше 2 лет назад

ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).

fstec логотип

BDU:2023-00579

CVSS3: 7.5
fstec
больше 2 лет назад

Уязвимость графического редактора ImageMagick, связанная с ошибками при обработке входных данных, позволяющая нарушителю получить доступ к защищаемой информации

6.5 Medium

CVSS3