CVE-2024-41817 — Uncontrolled Search Path Element in Imagemagick

CWE-427 — Uncontrolled Search Path Element6 documents5 sources

Severity

7.8HIGHNVD

EPSS

18.6%

top 4.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Imagemagick Debian Imagemagick

Timeline

PublishedJul 29

Latest updateJan 15

Description

ImageMagick is a free and open-source software suite, used for editing and manipulating digital images. The `AppImage` version `ImageMagick` might use an empty path when setting `MAGICK_CONFIGURE_PATH` and `LD_LIBRARY_PATH` environment variables while executing, which might lead to arbitrary code execution by loading malicious configuration files or shared libraries in the current working directory while executing `ImageMagick`. The vulnerability is fixed in 7.11-36.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5imagemagick/imagemagick< 7.11-36

▶NVDimagemagick/imagemagick7.0.11-13 — 7.1.1-36

▶debiandebian/imagemagick

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-41817: ImageMagick is a free and open-source software suite, used for editing and manipulating digital images↗2024-07-29

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Mediation Engine (ImageMagick) — CVE-2024-41817↗2025-01-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (ImageMagick) — CVE-2024-41817↗2024-10-15

▶

Red Hat

ImageMagick: Possible arbitrary code execution by loading malicious configuration files or shared libraries↗2024-07-27

▶

Debian

CVE-2024-41817: imagemagick - ImageMagick is a free and open-source software suite, used for editing and manip...↗2024

▶