CVE-2006-0082 — Use of Externally-Controlled Format String in Imagemagick

CWE-134 — Use of Externally-Controlled Format String9 documents7 sources

Severity

5.1MEDIUMNVD

OSV7.5

EPSS

3.9%

top 11.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Imagemagick Debian Imagemagick

Timeline

PublishedJan 4

Latest updateMay 3

Description

Format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3 and other versions, and GraphicsMagick, allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 4.9 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/imagemagick< imagemagick 6:6.2.4.5-0.6 (bookworm)

▶Debianimagemagick/imagemagick< 6:6.2.4.5-0.6+3

▶NVDimagemagick/imagemagick6.2.3

Patches

Patch: patches.sgi.com ↗Patch: secunia.com ↗Patch: secunia.com ↗

🔴Vulnerability Details

GHSA

GHSA-gqwr-p67x-5fff: Format string vulnerability in the SetImageInfo function in image↗2022-05-03

▶

OSV

CVE-2006-0082: Format string vulnerability in the SetImageInfo function in image↗2006-01-04

▶

📋Vendor Advisories

Ubuntu

imagemagick vulnerabilities↗2006-01-25

▶

Red Hat

security flaw↗2006-01-04

▶

Debian

CVE-2006-0082: imagemagick - Format string vulnerability in the SetImageInfo function in image.c for ImageMag...↗2006

▶

💬Community

Bugzilla

CVE-2006-0082 security flaw↗2018-08-16

▶

Bugzilla

CVE-2006-0082 ImageMagick format string vulnerability.↗2006-01-04

▶

Bugzilla

CVE-2006-0082 ImageMagick format string vulnerability. Also CVE-2005-4601, CVE-2006-2440, CVE-2006-3743, CVE-2006-3744, CVE-2006-4144.↗2006-01-04

▶