CVE-2020-27752 — Heap-based Buffer Overflow in Imagemagick

CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write6 documents6 sources

Severity

7.1HIGHNVD

EPSS

0.3%

top 44.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Imagemagick Debian Imagemagick

Timeline

PublishedDec 8

Latest updateMay 24

Description

A flaw was found in ImageMagick in MagickCore/quantum-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger a heap buffer overflow. This would most likely lead to an impact to application availability, but could potentially lead to an impact to data integrity as well. This flaw affects ImageMagick versions prior to 7.0.9-0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:HExploitability: 2.8 | Impact: 4.2

Affected Packages4 packages

▶debiandebian/imagemagick< imagemagick 8:6.9.11.24+dfsg-1 (bookworm)

▶NVDimagemagick/imagemagick7.0.0-0 — 7.0.9-0+1

▶Debianimagemagick/imagemagick< 8:6.9.11.24+dfsg-1+3

▶CVEListV5imagemagick/imagemagickprior to 7.0.9-0

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-8h84-r7fq-5pcm: A flaw was found in ImageMagick in MagickCore/quantum-private↗2022-05-24

▶

OSV

CVE-2020-27752: A flaw was found in ImageMagick in MagickCore/quantum-private↗2020-12-08

▶

📋Vendor Advisories

Debian

CVE-2020-27752: imagemagick - A flaw was found in ImageMagick in MagickCore/quantum-private.h. An attacker who...↗2020

▶

Red Hat

ImageMagick: heap-based buffer overflow in PopShortPixel in MagickCore/quantum-private.h↗2019-10-04

▶

💬Community

Bugzilla

CVE-2020-27752 ImageMagick: heap-based buffer overflow in PopShortPixel in MagickCore/quantum-private.h↗2020-11-03

▶