CVE-2019-1010174 - Vulnerability Details - OpenCVE

CImg The CImg Library v.2.3.3 and earlier is affected by: command injection. The impact is: RCE. The component is: load_network() function. The attack vector is: Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url. The fixed version is: v.2.3.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.13115.

Key SSVC decision points have not yet been added.

Vendors	Products
Cimg	Cimg Library
Debian	Debian Linux

Configuration 1 [-]

cpe:2.3:a:cimg:cimg_library:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

No data.

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-1934-1	cimg security update
Debian DLA	DLA-2421-1	cimg security update

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://framagit.org/dtschump/CImg/commit/5ce7a426b77f814973e56182a0e76a2b04904146
https://lists.debian.org/debian-lts-announce/2019/09/msg00030.html
https://lists.debian.org/debian-lts-announce/2020/10/msg00033.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: dwf

Published: 2019-07-25T13:12:03

Updated: 2024-08-05T03:07:18.472Z

Reserved: 2019-03-20T00:00:00

Link: CVE-2019-1010174

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-07-25T14:15:11.560

Modified: 2024-11-21T04:18:01.193

Link: CVE-2019-1010174

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "The CImg Library", "vendor": "CImg", "versions": [{"status": "affected", "version": "v.2.3.3 and earlier [fixed: v.2.3.4]"}]}], "descriptions": [{"lang": "en", "value": "CImg The CImg Library v.2.3.3 and earlier is affected by: command injection. The impact is: RCE. The component is: load_network() function. The attack vector is: Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url. The fixed version is: v.2.3.4."}], "problemTypes": [{"descriptions": [{"description": "command injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-30T18:06:12", "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://framagit.org/dtschump/CImg/commit/5ce7a426b77f814973e56182a0e76a2b04904146"}, {"name": "[debian-lts-announce] 20190928 [SECURITY] [DLA 1934-1] cimg security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00030.html"}, {"name": "[debian-lts-announce] 20201030 [SECURITY] [DLA 2421-1] cimg security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00033.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@distributedweaknessfiling.org", "ID": "CVE-2019-1010174", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "The CImg Library", "version": {"version_data": [{"version_value": "v.2.3.3 and earlier [fixed: v.2.3.4]"}]}}]}, "vendor_name": "CImg"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CImg The CImg Library v.2.3.3 and earlier is affected by: command injection. The impact is: RCE. The component is: load_network() function. The attack vector is: Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url. The fixed version is: v.2.3.4."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "command injection"}]}]}, "references": {"reference_data": [{"name": "https://framagit.org/dtschump/CImg/commit/5ce7a426b77f814973e56182a0e76a2b04904146", "refsource": "MISC", "url": "https://framagit.org/dtschump/CImg/commit/5ce7a426b77f814973e56182a0e76a2b04904146"}, {"name": "[debian-lts-announce] 20190928 [SECURITY] [DLA 1934-1] cimg security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00030.html"}, {"name": "[debian-lts-announce] 20201030 [SECURITY] [DLA 2421-1] cimg security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00033.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:07:18.472Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://framagit.org/dtschump/CImg/commit/5ce7a426b77f814973e56182a0e76a2b04904146"}, {"name": "[debian-lts-announce] 20190928 [SECURITY] [DLA 1934-1] cimg security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00030.html"}, {"name": "[debian-lts-announce] 20201030 [SECURITY] [DLA 2421-1] cimg security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00033.html"}]}]}, "cveMetadata": {"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "assignerShortName": "dwf", "cveId": "CVE-2019-1010174", "datePublished": "2019-07-25T13:12:03", "dateReserved": "2019-03-20T00:00:00", "dateUpdated": "2024-08-05T03:07:18.472Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cimg:cimg_library:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F53533B-51C7-48E3-AC3B-6CA1807E6E71", "versionEndExcluding": "2.3.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CImg The CImg Library v.2.3.3 and earlier is affected by: command injection. The impact is: RCE. The component is: load_network() function. The attack vector is: Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url. The fixed version is: v.2.3.4."}, {"lang": "es", "value": "CImg la librer\u00eda CImg versi\u00f3n v.2.3.3 y versiones anteriores se ven afectadas por: inyecci\u00f3n de comando. El impacto es: RCE. El componente es: funci\u00f3n load_network(). El vector de ataque es: Cargar una imagen desde una url controlable por el usuario puede llevar a una inyecci\u00f3n de comando, porque no se realiza el saneamiento de la cadena en la url. La versi\u00f3n corregida es: v.2.3.4."}], "id": "CVE-2019-1010174", "lastModified": "2024-11-21T04:18:01.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-25T14:15:11.560", "references": [{"source": "josh@bress.net", "tags": ["Patch", "Third Party Advisory"], "url": "https://framagit.org/dtschump/CImg/commit/5ce7a426b77f814973e56182a0e76a2b04904146"}, {"source": "josh@bress.net", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00030.html"}, {"source": "josh@bress.net", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00033.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://framagit.org/dtschump/CImg/commit/5ce7a426b77f814973e56182a0e76a2b04904146"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00030.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00033.html"}], "sourceIdentifier": "josh@bress.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}