CVE-2024-41817

ImageMagick is a free and open-source software suite, used for editing and manipulating digital images. The `AppImage` version `ImageMagick` might use an empty path when setting `MAGICK_CONFIGURE_PATH` and `LD_LIBRARY_PATH` environment variables while executing, which might lead to arbitrary code execution by loading malicious configuration files or shared libraries in the current working directory while executing `ImageMagick`. The vulnerability is fixed in 7.11-36.
Configurations

Configuration 1 (hide)

cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

History

11 Sep 2024, 16:16

Type Values Removed Values Added
First Time Imagemagick
Imagemagick imagemagick
CVSS v2 : unknown
v3 : 7.0
v2 : unknown
v3 : 7.8
Summary
  • (es) ImageMagick es un paquete de software gratuito y de código abierto que se utiliza para editar y manipular imágenes digitales. La versión `AppImage` `ImageMagick` puede usar una ruta vacía al configurar las variables de entorno `MAGICK_CONFIGURE_PATH` y `LD_LIBRARY_PATH` durante la ejecución, lo que podría llevar a la ejecución de código arbitrario al cargar archivos de configuración maliciosos o librerías compartidas en el directorio de trabajo actual mientras se ejecuta ` ImagenMagick`. La vulnerabilidad se solucionó en 7.11-36.
CPE cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
References () https://github.com/ImageMagick/ImageMagick/blob/3b22378a23d59d7517c43b65b1822f023df357a0/app-image/AppRun#L11-L14 - () https://github.com/ImageMagick/ImageMagick/blob/3b22378a23d59d7517c43b65b1822f023df357a0/app-image/AppRun#L11-L14 - Issue Tracking
References () https://github.com/ImageMagick/ImageMagick/commit/6526a2b28510ead6a3e14de711bb991ad9abff38 - () https://github.com/ImageMagick/ImageMagick/commit/6526a2b28510ead6a3e14de711bb991ad9abff38 - Patch
References () https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8rxc-922v-phg8 - () https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8rxc-922v-phg8 - Exploit, Vendor Advisory

29 Jul 2024, 16:21

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-29 16:15

Updated : 2024-10-10 17:25


NVD link : CVE-2024-41817

Mitre link : CVE-2024-41817

CVE.ORG link : CVE-2024-41817


JSON object : View

Products Affected

imagemagick

  • imagemagick
CWE
CWE-427

Uncontrolled Search Path Element