Security News > 2023 > February > Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility
Cybersecurity researchers have disclosed details of two security flaws in the open source ImageMagick software that could potentially lead to a denial-of-service and information disclosure.
The two issues, which were identified by Latin American cybersecurity firm Metabase Q in version 7.1.0-49, were addressed in ImageMagick version 7.1.0-52, released in November 2022.
That said, an attacker must be able to upload a malicious image to a website using ImageMagick so as to weaponize the flaws remotely.
"If the specified filename is '-', ImageMagick will try to read the content from standard input potentially leaving the process waiting forever," the researchers said in a report shared with The Hacker News.
In the same manner, if the filename refers to an actual file located in the server, an image processing operation carried out on the input could potentially embed the contents of the remote file after it's complete.
In May 2016, multiple flaws were disclosed in the software, one of which, dubbed ImageTragick, could have been abused to gain remote code execution when processing user-submitted images.
News URL
https://thehackernews.com/2023/02/researchers-uncover-new-bugs-in-popular.html