{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-48541", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T15:17:55.146Z", "dateReserved": "2023-07-23T00:00:00", "datePublished": "2023-08-22T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-03-20T10:05:57.934695"}, "descriptions": [{"lang": "en", "value": "A memory leak in ImageMagick 7.0.10-45 and 6.9.11-22 allows remote attackers to perform a denial of service via the \"identify -help\" command."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/issues/2889"}, {"name": "FEDORA-2024-6f8c1d9005", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LICYTADFJAFPZW3Y2MKNCJIUYODPAG4L/"}, {"name": "FEDORA-2024-d23b0f5e76", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YAULDP3GG5KI3XITQ5XSMRSILCBZS2VK/"}, {"name": "[debian-lts-announce] 20240320 [SECURITY] [DLA 3767-1] imagemagick security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00020.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:17:55.146Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/ImageMagick/ImageMagick/issues/2889", "tags": ["x_transferred"]}, {"name": "FEDORA-2024-6f8c1d9005", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LICYTADFJAFPZW3Y2MKNCJIUYODPAG4L/"}, {"name": "FEDORA-2024-d23b0f5e76", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YAULDP3GG5KI3XITQ5XSMRSILCBZS2VK/"}, {"name": "[debian-lts-announce] 20240320 [SECURITY] [DLA 3767-1] imagemagick security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00020.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:6.9.11-22:*:*:*:*:*:*:*", "matchCriteriaId": "C5EDF13D-9DE8-4890-82CD-E6977434E531", "vulnerable": true}, {"criteria": "cpe:2.3:a:imagemagick:imagemagick:7.0.10-45:*:*:*:*:*:*:*", "matchCriteriaId": "5B1BCBD9-F6D7-4FFA-9E4D-4DA0D4295CA8", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A memory leak in ImageMagick 7.0.10-45 and 6.9.11-22 allows remote attackers to perform a denial of service via the \"identify -help\" command."}, {"lang": "es", "value": "Una p\u00e9rdida de memoria en ImageMagick 7.0.10-45 y 6.9.11-22 permite a atacantes remotos realizar una denegaci\u00f3n de servicio mediante el comando \"identify -help\"."}], "id": "CVE-2022-48541", "lastModified": "2024-03-20T10:15:08.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-22T19:16:31.443", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/ImageMagick/ImageMagick/issues/2889"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00020.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LICYTADFJAFPZW3Y2MKNCJIUYODPAG4L/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YAULDP3GG5KI3XITQ5XSMRSILCBZS2VK/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "ImageMagick: memory leak in identify -help", "id": "2254987", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254987"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-401", "details": ["A memory leak in ImageMagick 7.0.10-45 and 6.9.11-22 allows remote attackers to perform a denial of service via the \"identify -help\" command.", "A flaw was found in ImageMagick, which susceptible to a Missing Release of Memory after the Effective Lifetime vulnerability is triggered by the 'identify -help' command. This issue could allow an attacker to initiate a denial of service attack by inducing a memory leak."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-48541", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2023-08-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48541\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48541\nhttps://github.com/ImageMagick/ImageMagick/commit/155ebcd89ccb709522a102868e9d1a14e72d1f82\nhttps://github.com/ImageMagick/ImageMagick/issues/2889\nhttps://github.com/ImageMagick/ImageMagick6/commit/004194253242af71adf5b70e151a7e89bb776eee\nhttps://github.com/advisories/GHSA-g5fw-9pgg-xvqg"], "statement": "The identified flaw in ImageMagick, presenting a \"Missing Release of Memory\" vulnerability triggered by the 'identify -help' command, carries a moderate severity rating due to its potential impact on system stability and resource consumption. While the vulnerability could lead to a denial of service condition by inducing memory leaks, its exploitation requires specific user interaction with the affected command. Furthermore, successful exploitation does not inherently grant unauthorized access or execution of arbitrary code. However, in scenarios where the affected command is publicly accessible or invoked frequently, such as in web applications processing user-uploaded images, the risk of exploitation and consequent disruption to service availability elevates.", "threat_severity": "Moderate", "upstream_fix": "ImageMagick 6.9.11-46, ImageMagick 7.0.10-46"}