Описание
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, domain="path" authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
A flaw was found in ImageMagick, a free and open-source software used for editing and manipulating digital images. A time-of-check to time-of-use (TOCTOU) vulnerability exists where authorization for a file path is checked before the file is finally opened or used. A local attacker can exploit this by performing a symlink swap between the check-time and use-time, bypassing policy-denied read/write operations. This can lead to information disclosure and unauthorized modification of files.
Отчет
This MODERATE impact vulnerability in ImageMagick allows a Time-of-Check to Time-of-Use (TOCTOU) symlink race. An attacker could exploit this to bypass path policy restrictions, potentially leading to unauthorized read or write access to files. This affects Red Hat Enterprise Linux and Community Projects that include ImageMagick.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | ImageMagick | Out of support scope | ||
| Red Hat Enterprise Linux 7 | ImageMagick | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
6.3 Medium
CVSS3
Связанные уязвимости
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, domain="path" authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, domain="path" authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
ImageMagick is free and open-source software used for editing and mani ...
ImageMagick has a Path Policy TOCTOU symlink race bypass
EPSS
6.3 Medium
CVSS3