Lucene search

[email protected]CVE-2020-27766

HistoryDec 04, 2020 - 3:15 p.m.

CVE-2020-27766

2020-12-0415:15:10

CWE-190

[email protected]

web.nvd.nist.gov

204

cve-2020-27766

imagemagick

magickcore

statistic.c

application availability

undefined behavior

security vulnerability

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.4%

JSON

A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned long. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.8-69.

Affected configurations

Vulners

NVD

Node

imagemagickimagemagickRange≤7.0.8

VendorProductVersionCPE
imagemagickimagemagick*cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
imagemagick	imagemagick	*	cpe:2.3:a:imagemagick:imagemagick::::::::

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "ImageMagick",
    "versions": [
      {
        "version": "ImageMagick 7.0.8-69",
        "status": "affected"
      }
    ]
  }
]