Vulnerabilities > CVE-2021-39212 - Exposure of Resource to Wrong Sphere vulnerability in Imagemagick

CVSS 3.6 - LOW

Attack vector

LOCAL

Attack complexity

HIGH

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

local

high complexity

imagemagick

CWE-668

NVD

Published: 2021-09-13

Updated: 2023-05-22

Summary

ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain="module" rights="none" pattern="PS" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />.

Vulnerable Configurations

Part	Description	Count
Application	Imagemagick Imagemagick Imagemagick 7.1.0-0 Imagemagick Imagemagick 7.1.0-1 Imagemagick Imagemagick 7.1.0-2 Imagemagick Imagemagick 7.1.0-3 Imagemagick Imagemagick 7.1.0-4 Imagemagick Imagemagick 7.1.0-5 Imagemagick Imagemagick 7.1.0-6 Imagemagick Imagemagick 6.9.12-0 Imagemagick Imagemagick 6.9.12-1 Imagemagick Imagemagick 6.9.12-2 Imagemagick Imagemagick 6.9.12-3 Imagemagick Imagemagick 6.9.12-4 Imagemagick Imagemagick 6.9.12-5 Imagemagick Imagemagick 6.9.12-6 Imagemagick Imagemagick 6.9.12-7 Imagemagick Imagemagick 6.9.12-8 Imagemagick Imagemagick 6.9.12-9	17

Common Weakness Enumeration (CWE)

CWE-668 - Exposure of Resource to Wrong Sphere

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References