CVE-2020-29599
ImageMagick: Shell injection via PDF password could result in arbitrary code execution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.
ImageMagick versiones anteriores a 6.9.11-40 y versiones 7.x anteriores a 7.0.10-40 maneja inapropiadamente la opción -authenticate, que permite establecer una contraseña para archivos PDF protegidos con contraseña. La contraseña controlada por el usuario no era escapada y saneada apropiadamente y, por lo tanto, fue posible inyectar comandos de shell adicionales por medio del archivo coders/pdf.c
A flaw was found in ImageMagick. The -authenticate option is mishandled allowing user-controlled password set for a PDF file to possibly inject additional shell commands via coders/pdf.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
It was discovered that ImageMagick incorrectly handled the "-authenticate" option for password-protected PDF files. An attacker could possibly use this issue to inject additional shell commands and perform arbitrary code execution. This issue only affected Ubuntu 20.04 LTS. It was discovered that ImageMagick incorrectly handled certain values when processing PDF files. If a user or automated system using ImageMagick were tricked into opening a specially crafted PDF file, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 20.04 LTS.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-12-07 CVE Reserved
- 2020-12-07 CVE Published
- 2022-01-28 First Exploit
- 2024-08-04 CVE Updated
- 2025-03-24 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
- CWE-91: XML Injection (aka Blind XPath Injection)
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html | Third Party Advisory | |
| https://lists.debian.org/debian-lts-announce/2021/01/msg00010.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2023/03/msg00008.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/coco0x0a/CVE-2020-29599 | 2022-01-28 | |
| https://github.com/lnwza0x0a/CVE-2020-29599 | 2022-03-11 | |
| https://github.com/ImageMagick/ImageMagick/discussions/2851 | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/202101-36 | 2023-03-11 | |
| https://access.redhat.com/security/cve/CVE-2020-29599 | 2021-01-05 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1907456 | 2021-01-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Imagemagick Search vendor "Imagemagick" | Imagemagick Search vendor "Imagemagick" for product "Imagemagick" | >= 6.9.8-1 < 6.9.11-40 Search vendor "Imagemagick" for product "Imagemagick" and version " >= 6.9.8-1 < 6.9.11-40" | - |
Affected
| ||||||
| Imagemagick Search vendor "Imagemagick" | Imagemagick Search vendor "Imagemagick" for product "Imagemagick" | >= 7.0.5-3 < 7.0.10-40 Search vendor "Imagemagick" for product "Imagemagick" and version " >= 7.0.5-3 < 7.0.10-40" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||