CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3962
https://notcve.org/view.php?id=CVE-2021-3962
A flaw was found in ImageMagick where it did not properly sanitize certain input before using it to invoke convert processes. This flaw allows an attacker to create a specially crafted image that leads to a use-after-free vulnerability when processed by ImageMagick. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Se ha encontrado un fallo en ImageMagick que no sanea correctamente ciertas entradas antes de utilizarlas para invocar procesos de conversión. Este defecto permite a un atacante crear una imagen especialmente diseñada que conduce a una vulnerabilidad de uso después de la liberación cuando es procesada por ImageMagick. • https://bugzilla.redhat.com/show_bug.cgi?id=2023196 https://github.com/ImageMagick/ImageMagick/commit/82775af03bbb10a0a1d0e15c0156c75673b4525e https://github.com/ImageMagick/ImageMagick/issues/4446 • CWE-416: Use After Free •
CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-39212 – Issue when Configuring the ImageMagick Security Policy
https://notcve.org/view.php?id=CVE-2021-39212
ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain="module" rights="none" pattern="PS" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />. • https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68 https://github.com/ImageMagick/ImageMagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr https://lists.debian.org/debian-lts-announce/2023/05/msg00020.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-668: Exposure of Resource to Wrong Sphere •