Shell Expansion Vulnerability in GEGL Affecting GIMP
CVE-2021-45463

7.8HIGH

Key Information:

Vendor

Gegl

Status
Gegl
Vendor
CVE Published:
23 December 2021

What is CVE-2021-45463?

A vulnerability in the GEGL library allows for shell command injection due to improper handling of pathnames in constructed command lines. This is particularly concerning as it facilitates unsafe use of the system library function to execute commands in situations where the ImageMagick convert fallback is invoked. Affected versions include GEGL prior to 0.4.34, which is utilized in GIMP versions before 2.10.30, creating potential risk for users who may leverage these older software releases. Users are recommended to upgrade to the latest versions to mitigate potential exploitation risks.

References

https://gitlab.gnome.org/GNOME/gegl/-/blob/master/docs/NE...
x_refsource_MISC
https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f...
x_refsource_MISC
https://gitlab.gnome.org/GNOME/gimp/-/commit/e8a31ba4f2ce...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.