OpenCVE

A memory leak in ImageMagick 7.0.10-45 and 6.9.11-22 allows remote attackers to perform a denial of service via the "identify -help" command.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Imagemagick	Imagemagick

Configuration 1 [-]

OR	cpe:2.3:a:imagemagick:imagemagick:6.9.11-22:::::::*
	cpe:2.3:a:imagemagick:imagemagick:7.0.10-45:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:38:::::::*
	cpe:2.3:o:fedoraproject:fedora:39:::::::*

No data.

References

Link	Providers
https://github.com/ImageMagick/ImageMagick/commit/155ebcd89ccb709522a102868e9d1a14e72d1f82
https://github.com/ImageMagick/ImageMagick/issues/2889
https://github.com/ImageMagick/ImageMagick6/commit/004194253242af71adf5b70e151a7e89bb776eee
https://github.com/advisories/GHSA-g5fw-9pgg-xvqg
https://lists.debian.org/debian-lts-announce/2024/03/msg00020.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LICYTADFJAFPZW3Y2MKNCJIUYODPAG4L/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YAULDP3GG5KI3XITQ5XSMRSILCBZS2VK/
https://nvd.nist.gov/vuln/detail/CVE-2022-48541
https://www.cve.org/CVERecord?id=CVE-2022-48541

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-08-22T00:00:00

Updated: 2024-08-03T15:17:55.146Z

Reserved: 2023-07-23T00:00:00

Link: CVE-2022-48541

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-08-22T19:16:31.443

Modified: 2024-11-21T07:33:29.937

Link: CVE-2022-48541

Redhat

Severity : Moderate

Publid Date: 2023-08-22T00:00:00Z

Links: CVE-2022-48541 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-48541", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T15:17:55.146Z", "dateReserved": "2023-07-23T00:00:00", "datePublished": "2023-08-22T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-03-20T10:05:57.934695"}, "descriptions": [{"lang": "en", "value": "A memory leak in ImageMagick 7.0.10-45 and 6.9.11-22 allows remote attackers to perform a denial of service via the \"identify -help\" command."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/issues/2889"}, {"name": "FEDORA-2024-6f8c1d9005", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LICYTADFJAFPZW3Y2MKNCJIUYODPAG4L/"}, {"name": "FEDORA-2024-d23b0f5e76", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YAULDP3GG5KI3XITQ5XSMRSILCBZS2VK/"}, {"name": "[debian-lts-announce] 20240320 [SECURITY] [DLA 3767-1] imagemagick security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00020.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:17:55.146Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/ImageMagick/ImageMagick/issues/2889", "tags": ["x_transferred"]}, {"name": "FEDORA-2024-6f8c1d9005", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LICYTADFJAFPZW3Y2MKNCJIUYODPAG4L/"}, {"name": "FEDORA-2024-d23b0f5e76", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YAULDP3GG5KI3XITQ5XSMRSILCBZS2VK/"}, {"name": "[debian-lts-announce] 20240320 [SECURITY] [DLA 3767-1] imagemagick security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00020.html"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:6.9.11-22:*:*:*:*:*:*:*", "matchCriteriaId": "C5EDF13D-9DE8-4890-82CD-E6977434E531", "vulnerable": true}, {"criteria": "cpe:2.3:a:imagemagick:imagemagick:7.0.10-45:*:*:*:*:*:*:*", "matchCriteriaId": "5B1BCBD9-F6D7-4FFA-9E4D-4DA0D4295CA8", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A memory leak in ImageMagick 7.0.10-45 and 6.9.11-22 allows remote attackers to perform a denial of service via the \"identify -help\" command."}, {"lang": "es", "value": "Una p\u00e9rdida de memoria en ImageMagick 7.0.10-45 y 6.9.11-22 permite a atacantes remotos realizar una denegaci\u00f3n de servicio mediante el comando \"identify -help\"."}], "id": "CVE-2022-48541", "lastModified": "2024-11-21T07:33:29.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-22T19:16:31.443", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/ImageMagick/ImageMagick/issues/2889"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00020.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LICYTADFJAFPZW3Y2MKNCJIUYODPAG4L/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YAULDP3GG5KI3XITQ5XSMRSILCBZS2VK/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/ImageMagick/ImageMagick/issues/2889"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LICYTADFJAFPZW3Y2MKNCJIUYODPAG4L/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YAULDP3GG5KI3XITQ5XSMRSILCBZS2VK/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "ImageMagick: memory leak in identify -help", "id": "2254987", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254987"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-401", "details": ["A memory leak in ImageMagick 7.0.10-45 and 6.9.11-22 allows remote attackers to perform a denial of service via the \"identify -help\" command.", "A flaw was found in ImageMagick, which susceptible to a Missing Release of Memory after the Effective Lifetime vulnerability is triggered by the 'identify -help' command. This issue could allow an attacker to initiate a denial of service attack by inducing a memory leak."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-48541", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2023-08-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48541\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48541\nhttps://github.com/ImageMagick/ImageMagick/commit/155ebcd89ccb709522a102868e9d1a14e72d1f82\nhttps://github.com/ImageMagick/ImageMagick/issues/2889\nhttps://github.com/ImageMagick/ImageMagick6/commit/004194253242af71adf5b70e151a7e89bb776eee\nhttps://github.com/advisories/GHSA-g5fw-9pgg-xvqg"], "statement": "The identified flaw in ImageMagick, presenting a \"Missing Release of Memory\" vulnerability triggered by the 'identify -help' command, carries a moderate severity rating due to its potential impact on system stability and resource consumption. While the vulnerability could lead to a denial of service condition by inducing memory leaks, its exploitation requires specific user interaction with the affected command. Furthermore, successful exploitation does not inherently grant unauthorized access or execution of arbitrary code. However, in scenarios where the affected command is publicly accessible or invoked frequently, such as in web applications processing user-uploaded images, the risk of exploitation and consequent disruption to service availability elevates.", "threat_severity": "Moderate", "upstream_fix": "ImageMagick 6.9.11-46, ImageMagick 7.0.10-46"}