Security Flaw in ImageMagick Affecting Multiple Versions
CVE-2020-27766

7.8HIGH

Key Information:

Vendor: Imagemagick
Status: Imagemagick
Vendor: CVE Published:; 4 December 2020

Summary

A security flaw exists in ImageMagick's MagickCore/statistic.c that allows attackers to exploit crafted files. This flaw can lead to undefined behavior, potentially affecting application stability. Specifically, the issue arises due to values falling outside the limits of the 'unsigned long' type, which could disrupt normal operations or lead to unexpected system behavior. This vulnerability affects all ImageMagick versions prior to 7.0.8-69, necessitating immediate attention and patching.

Affected Version(s)

ImageMagick ImageMagick 7.0.8-69

References

https://bugzilla.redhat.com/show_bug.cgi?id=1894686

https://lists.debian.org/debian-lts-announce/2021/03/msg0...

mailing-list

https://lists.debian.org/debian-lts-announce/2023/03/msg0...

mailing-list

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 4, 2020
Vulnerability Reserved
Oct 27, 2020