CVE-2022-44268
published 2023-02-06CVE-2022-44268: ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the…
PriorityP262medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EXPLOIT
EPSS
89.85%
99.8th percentile
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | imagemagick | < imagemagick 8:6.9.11.60+dfsg-1.6 (bookworm) | imagemagick 8:6.9.11.60+dfsg-1.6 (bookworm) |
| imagemagick | imagemagick | — | — |
| imagemagick | imagemagick | >= 0 < 8:6.9.11.60+dfsg-1.3+deb11u1 | 8:6.9.11.60+dfsg-1.3+deb11u1 |
| imagemagick | imagemagick | >= 0 < 8:6.9.11.60+dfsg-1.6 | 8:6.9.11.60+dfsg-1.6 |
| imagemagick | imagemagick | >= 0 < 8:6.9.11.60+dfsg-1.6 | 8:6.9.11.60+dfsg-1.6 |
| imagemagick | imagemagick | >= 0 < 8:6.9.11.60+dfsg-1.6 | 8:6.9.11.60+dfsg-1.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Attackers exploit exposed `.git` directories to dump application source code, revealing internal paths, binary locations, and database paths used in subsequent LFI exploitation. ↗
- →The vulnerability requires the attacker to upload a specially crafted PNG to an ImageMagick-powered image processing endpoint, then download the resulting image and decode the hex-encoded 'Raw profile type' metadata field to recover the exfiltrated file contents. ↗
- →Monitor image upload endpoints for PNG files containing tEXt/zTXt/iTXt chunks with a 'profile' keyword referencing filesystem paths (e.g., /etc/passwd, /var/db/*), which is the payload mechanism for CVE-2022-44268. ↗
- →Fixed versions for Debian: bookworm/bullseye/sid/trixie/forky resolved in 8:6.9.11.60+dfsg-1.6 (or 8:6.9.11.60+dfsg-1.3+deb11u1 for bullseye). Presence of ImageMagick older than these versions indicates a vulnerable system. ↗
- ·Exploitation requires the magick binary to have read permissions on the target file; files unreadable by the ImageMagick process cannot be exfiltrated. ↗
- ·The PoC at https://github.com/voidz0r/CVE-2022-44268 requires Rust as a pre-requisite to build and run. ↗
- ·If the server returns an empty 'Raw profile type' field in the output image metadata, the target file either does not exist or is not readable by the ImageMagick process. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
ImageMagick vulnerabilities
vendor_ubuntu·2023-04-17
CVE-2022-44267 ImageMagick vulnerabilities
Title: ImageMagick vulnerabilities
Summary: Several security issues were fixed in ImageMagick.
USN-5855-1 fixed vulnerabilities in ImageMagick. This update provides the
corresponding updates for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that ImageMagick incorrectly handled certain PNG images.
If a user or automated system were tricked into opening a specially crafted
PNG file, an attacker could use this issue to cause ImageMagick to stop
responding, resulting in a denial of service, or possibly obtain the
contents of arbitrary files by including them into images.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
ImageMagick vulnerabilities
vendor_ubuntu·2023-03-15
CVE-2022-44267 ImageMagick vulnerabilities
Title: ImageMagick vulnerabilities
Summary: Several security issues were fixed in ImageMagick.
USN-5855-1 fixed a vulnerability in ImageMagick. This update provides
the corresponding update for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu
22.10.
Original advisory details:
It was discovered that ImageMagick incorrectly handled certain PNG images.
If a user or automated system were tricked into opening a specially crafted
PNG file, an attacker could use this issue to cause ImageMagick to stop
responding, resulting in a denial of service, or possibly obtain the
contents of arbitrary files by including them into images.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
ImageMagick vulnerabilities
vendor_ubuntu·2023-02-09
CVE-2022-44268 ImageMagick vulnerabilities
Title: ImageMagick vulnerabilities
Summary: Several security issues were fixed in ImageMagick.
It was discovered that ImageMagick incorrectly handled certain PNG images.
If a user or automated system were tricked into opening a specially crafted
PNG file, an attacker could use this issue to cause ImageMagick to stop
responding, resulting in a denial of service, or possibly obtain the
contents of arbitrary files by including them into images.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
ImageMagick: vulnerable to Information Disclosure when it parses a PNG image
vendor_redhat·2023-02-06·CVSS 6.5
CVE-2022-44268 [MEDIUM] CWE-200 ImageMagick: vulnerable to Information Disclosure when it parses a PNG image
ImageMagick: vulnerable to Information Disclosure when it parses a PNG image
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).
An information disclosure vulnerability was found in ImageMagick. This flaw allows an attacker to read arbitrary files from a server when parsing an image and happens when the program is parsing a PNG image. If ImageMagick has permission to read other arbitrary files, the resulting image could have been embedded with contents from another file on the machine after the parsing process.
Mitigation: To mitigate the issue, we recommend setting a security policy that is suitable for you
Debian
CVE-2022-44268: imagemagick - ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a P...
vendor_debian·2022·CVSS 6.5
CVE-2022-44268 [MEDIUM] CVE-2022-44268: imagemagick - ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a P...
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).
Scope: local
bookworm: resolved (fixed in 8:6.9.11.60+dfsg-1.6)
bullseye: resolved (fixed in 8:6.9.11.60+dfsg-1.3+deb11u1)
forky: resolved (fixed in 8:6.9.11.60+dfsg-1.6)
sid: resolved (fixed in 8:6.9.11.60+dfsg-1.6)
trixie: resolved (fixed in 8:6.9.11.60+dfsg-1.6)
OSV
CVE-2022-44268: ImageMagick 7
osv·2023-02-06·CVSS 6.5
CVE-2022-44268 [MEDIUM] CVE-2022-44268: ImageMagick 7
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).
GHSA
GHSA-g5qh-f5rv-grcp: ImageMagick 7
ghsa_unreviewed·2023-02-06
CVE-2022-44268 [MEDIUM] CWE-200 GHSA-g5qh-f5rv-grcp: ImageMagick 7
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).
Suricata
ET EXPLOIT Possible ImageMagick (7.1.0-49) Arbitrary Remote Leak PNG Upload Attempt (CVE-2022-44268)
suricata·2023-02-05·CVSS 6.5
CVE-2022-44268 [MEDIUM] ET EXPLOIT Possible ImageMagick (7.1.0-49) Arbitrary Remote Leak PNG Upload Attempt (CVE-2022-44268)
ET EXPLOIT Possible ImageMagick (7.1.0-49) Arbitrary Remote Leak PNG Upload Attempt (CVE-2022-44268)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ImageMagick (7.1.0-49) Arbitrary Remote Leak PNG Upload Attempt (CVE-2022-44268)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|89|PNG"; content:"profile|00 2f|"; within:256; fast_pattern; reference:cve,2022-44268; classtype:attempted-user; sid:2044120; rev:2; metadata:attack_target Server, created_at 2023_02_05, cve CVE_2022_44268, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_P
CTF
Gambar Ajaib / README
ctf_writeups·2023·CVSS 6.5
CVE-2022-44268 [MEDIUM] Gambar Ajaib / README
# Gambar Ajaib
> Aplikasi ini dirancang untuk memproses gambar dengan format tertentu, kemudian dapat disulap dengan sentuhan magis aplikasinya.
> Ada satu cerita tentang sejarah Indonesia yang disembunyikan, hal itu tersimpan dengan sangat rapih di /rahasia
> Coba check dulu!
## About the Challenge
A website is provided without the source code, where users can upload PNG image files on the site.
## How to Solve?
This site is vulnerable to CVE-2022-44268, which is an LFI (Local File Inclusion) vulnerability in ImageMagick version 7.1.0-49. This conclusion is drawn from the puzzle name `Gambar Ajaib` and the website's code year being 2022. To exploit this vulnerability, I used a GitHub repository where a tool can generate images containing payloads to read files on the server. Here is
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
Pilgrimage / README
ctf_writeups·CVSS 6.5
CVE-2022-44268 [MEDIUM] Pilgrimage / README
# Pilgrimage - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## TL;DR
To solve this machine, we start by using `nmap` to enumerate open services and find ports `22`, and `80`.
***User***: Discovered the presence of `/.git` on the main website, utilized `git-dumper` to clone it, and identified the application's utilization of `magick` for image conversion. Leveraged `CVE-2022-44268` to exploit a Local File Inclusion (LFI) vulnerability, thereby gaining access to the SQLite database. Extracted the password of `emily` from the database.
***Root***: Identified that the user `root` executes a script and employs the utility `binwalk`. Exploited the vulnerability `CVE-2022-4510` to establish a reverse shell.
## Pilgrimage Solution
### User
Let's begin by using `nmap` to scan the targe
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
CTF
Pilgrimage / README
ctf_writeups
Pilgrimage / README
# Pilgrimage
> Write-up author: jon-brandy
## Lesson learned:
- ImageMagick LFI.
- git-dumper.
- binwalk RCE.
## STEPS:
> PORT SCANNING
```
┌──(brandy㉿bread-yolk)-[~]
└─$ nmap -p- -sVC 10.10.11.219 --min-rate 1000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-27 23:37 PDT
Nmap scan report for pilgrimage.htb (10.10.11.219)
Host is up (0.051s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 20be60d295f628c1b7e9e81706f168f3 (RSA)
| 256 0eb6a6a8c99b4173746e70180d5fe0af (ECDSA)
|_ 256 d14e293c708669b4d72cc80b486e9804 (ED25519)
80/tcp open http nginx 1.18.0
| http-git:
| 10.10.11.219:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit th
HackerOne
[CVE-2022-44268] Arbitrary Remote Leak via ImageMagick
hackerone·2023-03-16·CVSS 6.5
CVE-2022-44268 [MEDIUM] [CVE-2022-44268] Arbitrary Remote Leak via ImageMagick
[CVE-2022-44268] Arbitrary Remote Leak via ImageMagick
**Summary:**
HackerOne's image upload is using ImageMagick to convert/resize images and is likely updated. Thus, it's vulnerable to CVE-2022-44268.
**Description:**
### Steps To Reproduce
1. Navigate to your profile
2. Edit and upload the attached image (`im-lfi.png`) as your profile picture
3. Save changes and download the resized picture
4. Issue the following command to view the downloaded image's profile data;
```bash
identify -verbose image.png
```
Then, copy the `Raw profile type:` and decode it using any tool or using Python like;
```bash
python -c "print(bytes.fromhex('2c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c6f67696e0a').decode())"
```
I've attached the resized image too which contains the content of /e
http://packetstormsecurity.com/files/171727/ImageMagick-7.1.0-48-Arbitrary-File-Read.htmlhttps://imagemagick.org/https://lists.debian.org/debian-lts-announce/2023/03/msg00008.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AINSUL2QBKETGYRPA7XSCMJWLUB44M6S/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZLLS37P67CMBRML6OCG42GPCKGRCJNV/https://www.debian.org/security/2023/dsa-5347https://www.metabaseq.com/imagemagick-zero-days/http://packetstormsecurity.com/files/171727/ImageMagick-7.1.0-48-Arbitrary-File-Read.htmlhttps://imagemagick.org/https://lists.debian.org/debian-lts-announce/2023/03/msg00008.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AINSUL2QBKETGYRPA7XSCMJWLUB44M6S/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZLLS37P67CMBRML6OCG42GPCKGRCJNV/https://www.debian.org/security/2023/dsa-5347https://www.metabaseq.com/imagemagick-zero-days/
2023-02-06
Published