CVE-2021-20311

A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from this vulnerability is to system availability.

CVSS v3 7.5 HIGH
CVSS v2.0 7.8 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

7.8^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:C

Exploitability : 10.0 / Impact : 6.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact COMPLETE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1946739	Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-05-11 23:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-20311

Mitre link : CVE-2021-20311

CVE.ORG link : CVE-2021-20311

JSON object : View

Products Affected

imagemagick

imagemagick

CWE

CWE-369

Divide By Zero

{"id": "CVE-2021-20311", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2021-05-11T23:15:08.810", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1946739", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-369"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from this vulnerability is to system availability."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en ImageMagick en versiones anteriores a 7.0.11, donde una divisi\u00f3n por cero en la funci\u00f3n sRGBTransformImage() en el archivo MagickCore/colorspace.c puede desencadenar un comportamiento indefinido por medio de un archivo de imagen dise\u00f1ado que es enviado por un atacante procesado por una aplicaci\u00f3n que usa ImageMagick. La mayor amenaza de esta vulnerabilidad es la disponibilidad del sistema"}], "lastModified": "2021-05-17T19:50:39.977", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC183293-293D-4054-8FA4-7F9A37A12D5F", "versionEndExcluding": "7.0.11-0"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}