CVE-2021-3574Missing Release of Memory after Effective Lifetime in Imagemagick

CWE-401Missing Release of Memory after Effective LifetimeCWE-20Improper Input Validation10 documents6 sources
Severity
3.3LOWNVD
OSV5.5
EPSS
0.0%
top 91.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
ImagemagickDebian ImagemagickFedoraproject Fedora
Timeline
PublishedAug 26
Latest updateNov 24

Description

A vulnerability was found in ImageMagick-7.0.11-5, where executing a crafted file with the convert command, ASAN detects memory leaks.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:LExploitability: 1.8 | Impact: 1.4

Affected Packages5 packages

debiandebian/imagemagick< imagemagick 8:6.9.11.60+dfsg-1.5 (bookworm)
Debianimagemagick/imagemagick< 8:6.9.11.60+dfsg-1.3+deb11u2+3
Ubuntuimagemagick/imagemagick< 8:6.9.7.4+dfsg-16ubuntu6.14+4
CVEListV5imagemagick/imagemagickFixed in ImageMagick-7.0.11-8, ImageMagick-6.9.12-8

Also affects: Fedora 35, 36, 37

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
imagemagick vulnerabilities2022-11-24
OSV
imagemagick vulnerabilities2022-11-24
GHSA
GHSA-3ccx-358p-c5mm: A vulnerability was found in ImageMagick-72022-08-27
OSV
CVE-2021-3574: A vulnerability was found in ImageMagick-72022-08-26

📋Vendor Advisories

4
Ubuntu
ImageMagick vulnerabilities2022-11-24
Ubuntu
ImageMagick vulnerabilities2022-11-24
Red Hat
ImageMagick: memory leaks with convert command2022-08-26
Debian
CVE-2021-3574: imagemagick - A vulnerability was found in ImageMagick-7.0.11-5, where executing a crafted fil...2021