CVE-2021-39212
CVSS V2 Low 3.6
CVSS V3 Low 3.6
Description
ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain="module" rights="none" pattern="PS" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />.
Overview
- CVE ID
- CVE-2021-39212
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2021-09-13T18:15:23
- Last Modified Date
- 2022-08-05T10:58:29
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* | 1 | OR | 6.9.12-0 | 6.9.12-22 |
| cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* | 1 | OR | 7.1.0-0 | 7.1.0-7 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:L/AC:L/Au:N/C:P/I:P/A:N
- Access Vector
- LOCAL
- Access Compatibility
- LOW
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- PARTIAL
- Availability Impact
- NONE
- Base Score
- 3.6
- Severity
- LOW
- Exploitability Score
- 3.9
- Impact Score
- 4.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
- Attack Vector
- LOCAL
- Attack Compatibility
- HIGH
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- LOW
- Availability Impact
- NONE
- Base Score
- 3.6
- Base Severity
- LOW
- Exploitability Score
- 1
- Impact Score
- 2.5
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr | Third Party Advisory |
| https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68 | Patch Third Party Advisory |
| https://github.com/ImageMagick/ImageMagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e | Patch Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2021-39212 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39212 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 06:53:34 | Added to TrackCVE | |||
| 2022-12-05 10:26:56 | 2021-09-13T18:15Z | 2021-09-13T18:15:23 | CVE Published Date | updated |
| 2022-12-05 10:26:56 | 2022-08-05T10:58:29 | CVE Modified Date | updated | |
| 2022-12-05 10:26:56 | Analyzed | Vulnerability Status | updated |