Lucene search

RedhatCVE-2020-27756

HistoryDec 08, 2020 - 10:15 p.m.

CVE-2020-27756

2020-12-0822:15:18

CWE-369

redhat

web.nvd.nist.gov

133

imagemagick

cve-2020-27756

parsemetageometry

divide-by-zero

undefined behavior

patch

availability

nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

27.5%

JSON

In ParseMetaGeometry() of MagickCore/geometry.c, image height and width calculations can lead to divide-by-zero conditions which also lead to undefined behavior. This flaw can be triggered by a crafted input file processed by ImageMagick and could impact application availability. The patch uses multiplication in addition to the function PerceptibleReciprocal() in order to prevent such divide-by-zero conditions. This flaw affects ImageMagick versions prior to 7.0.9-0.

Affected configurations

Nvd

Vulners

Node

imagemagickimagemagickRange6.9.9-34–6.9.10-69

imagemagickimagemagickRange7.0.0-0–7.0.9-0

VendorProductVersionCPE
imagemagickimagemagick*cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
imagemagick	imagemagick	*	cpe:2.3:a:imagemagick:imagemagick::::::::

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "ImageMagick",
    "versions": [
      {
        "version": "prior to 7.0.9-0",
        "status": "affected"
      }
    ]
  }
]