CVE-2021-39212

Issue when Configuring the ImageMagick Security Policy

Severity Score

3.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain="module" rights="none" pattern="PS" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />.

ImageMagick es un software libre que se entrega como una distribución binaria lista para ser ejecutada o como un código fuente que se puede usar, copiar, modificar y distribuir tanto en aplicaciones abiertas como propietarias. En las versiones afectadas y en determinados casos, los archivos Postscript podían leerse y escribirse cuando se excluían específicamente mediante una política de "module" en "policy.xml". ex. (policy domain="module" rights="none" pattern="PS" /). El problema ha sido resuelto en ImageMagick versiones 7.1.0-7 y en 6.9.12-22. Afortunadamente, en la naturaleza, pocos usuarios usan la política "module" y en su lugar usan la política "coder" que es también nuestra recomendación de solución: (policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" /)

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-08-16 CVE Reserved
2021-09-13 CVE Published
2023-05-22 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-668: Exposure of Resource to Wrong Sphere

CAPEC

References (4)

URL	Tag	Source
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00020.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68	2023-05-22
https://github.com/ImageMagick/ImageMagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e	2023-05-22

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Imagemagick Search vendor "Imagemagick"		Imagemagick Search vendor "Imagemagick" for product "Imagemagick"				>= 6.9.12-0 < 6.9.12-22 Search vendor "Imagemagick" for product "Imagemagick" and version " >= 6.9.12-0 < 6.9.12-22"		-		Affected
Imagemagick Search vendor "Imagemagick"		Imagemagick Search vendor "Imagemagick" for product "Imagemagick"				>= 7.1.0-0 < 7.1.0-7 Search vendor "Imagemagick" for product "Imagemagick" and version " >= 7.1.0-0 < 7.1.0-7"		-		Affected