Heap Use After Free Vulnerability in ImageMagick Software
CVE-2023-34475

5.5MEDIUM

Key Information:

Vendor: Imagemagick
Status: Imagemagick
Vendor: CVE Published:; 16 June 2023

🔔 Create Imagemagick Vulnerability Alert

What is CVE-2023-34475?

A critical vulnerability has been identified in ImageMagick's ReplaceXmpValue() function within MagickCore/profile.c, marked by a heap use after free issue. An attacker can exploit this flaw by persuading users to open a specially constructed file for conversion. This action can lead to a heap-use-after-free write error, causing applications to crash and resulting in potential denial of service. It is essential for users and administrators to update their ImageMagick installations to safeguard against this risk.

Affected Version(s)

ImageMagick 7.1.1-10

References

https://github.com/ImageMagick/ImageMagick/commit/1061db7...

https://bugzilla.redhat.com/show_bug.cgi?id=2214149

https://access.redhat.com/security/cve/CVE-2023-34475

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2023
Vulnerability Reserved
Jun 7, 2023