Lucene search

[email protected]NVD:CVE-2020-27761

HistoryDec 03, 2020 - 5:15 p.m.

CVE-2020-27761

2020-12-0317:15:12

CWE-190

[email protected]

web.nvd.nist.gov

imagemagick

writepalmimage

undefined behavior

patch

red hat

low severity

application availability

vulnerability

crafted input

imagemagick 7.0.9-0

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

3.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

AI Score

4.2

Confidence

High

EPSS

0.001

Percentile

34.8%

JSON

WritePALMImage() in /coders/palm.c used size_t casts in several areas of a calculation which could lead to values outside the range of representable type unsigned long undefined behavior when a crafted input file was processed by ImageMagick. The patch casts to ssize_t instead to avoid this issue. Red Hat Product Security marked the Severity as Low because although it could potentially lead to an impact to application availability, no specific impact was shown in this case. This flaw affects ImageMagick versions prior to ImageMagick 7.0.9-0.

Affected configurations

Nvd

Node

imagemagickimagemagickRange<6.9.10-69

imagemagickimagemagickRange7.0.0-0–7.0.9-0

Node

debiandebian_linuxMatch9.0

VendorProductVersionCPE
imagemagickimagemagick*cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*