XML injection in ImageMagick



Published: 2020-12-13
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-29599
CWE-ID CWE-91
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
ImageMagick
Client/Desktop applications / Multimedia software

Vendor ImageMagick.org

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) XML injection

EUVDB-ID: #VU48940

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-29599

CWE-ID: CWE-91 - XML Injection

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.

Mitigation

Install update from vendor's website.

Vulnerable software versions

ImageMagick: 6.9.0-0, 6.9.0-1, 6.9.0-2, 6.9.0-3, 6.9.0-4, 6.9.0-5, 6.9.0-6, 6.9.0-7, 6.9.0-8, 6.9.0-9, 6.9.0-10, 6.9.1-0, 6.9.1-1, 6.9.1-2, 6.9.1-3, 6.9.1-4, 6.9.1-5, 6.9.1-6, 6.9.1-7, 6.9.1-8, 6.9.1-9, 6.9.1-10, 6.9.2-0, 6.9.2-1, 6.9.2-2, 6.9.2-3, 6.9.2-4, 6.9.2-5, 6.9.2-6, 6.9.2-7, 6.9.2-8, 6.9.2-9, 6.9.2-10, 6.9.3-0, 6.9.3-1, 6.9.3-2, 6.9.3-3, 6.9.3-4, 6.9.3-5, 6.9.3-6, 6.9.3-7, 6.9.3-8, 6.9.3-9, 6.9.3-10, 6.9.4-0, 6.9.4-2, 6.9.4-3, 6.9.4-4, 6.9.4-6, 6.9.4-7, 6.9.4-8, 6.9.4-9, 6.9.5-0, 6.9.5-2, 6.9.5-3, 6.9.5-4, 6.9.5-5, 6.9.5-7, 6.9.5-8, 6.9.6-2, 6.9.6-3, 6.9.6.6, 6.9.7, 6.9.7-0, 6.9.7-1, 6.9.7-2, 6.9.7-3, 6.9.7-6, 6.9.7-10, 6.9.8-10, 6.9.9-0, 6.9.9-3, 6.9.9-4, 7.0.0-0, 7.0.1-0, 7.0.1-1, 7.0.1-2, 7.0.1-3, 7.0.1-4, 7.0.1-5, 7.0.1-6, 7.0.1-7, 7.0.1-8, 7.0.1-9, 7.0.1-10, 7.0.2-0, 7.0.2-1, 7.0.2-2, 7.0.2-3, 7.0.2-4, 7.0.2-5, 7.0.2-6, 7.0.2-7, 7.0.2-8, 7.0.2-9, 7.0.2-10, 7.0.3-0, 7.0.3-1, 7.0.3-2, 7.0.3-3, 7.0.3-4, 7.0.3-5, 7.0.3-6, 7.0.3-7, 7.0.3-8, 7.0.3-9, 7.0.3-10, 7.0.4-0, 7.0.4-1, 7.0.4-2, 7.0.4-3, 7.0.4-4, 7.0.4-5, 7.0.4-6, 7.0.4-7, 7.0.4-8, 7.0.4-9, 7.0.4-10, 7.0.5-0, 7.0.5-1, 7.0.5-2, 7.0.5-3, 7.0.5-4, 7.0.5-5, 7.0.5-6, 7.0.5-7, 7.0.5-8, 7.0.5-8 Q16, 7.0.5-9, 7.0.5-10, 7.0.6, 7.0.6-0, 7.0.6-1, 7.0.6-2, 7.0.6-3, 7.0.6-4, 7.0.6-5, 7.0.6-6, 7.0.6-7, 7.0.6-8, 7.0.6-9, 7.0.6-10, 7.0.7, 7.0.7-0, 7.0.7-0 Q16, 7.0.7-1, 7.0.7-1 Q16, 7.0.7-2, 7.0.7-3, 7.0.7-4, 7.0.7-5, 7.0.7-6, 7.0.7-7, 7.0.7-8, 7.0.7-9, 7.0.7-10, 7.0.7-11, 7.0.7-12, 7.0.7-12 Q16, 7.0.7-13, 7.0.7-14, 7.0.7-15, 7.0.7-16, 7.0.7-16 Q16, 7.0.7-17, 7.0.7-17 Q16, 7.0.7-18, 7.0.7-19, 7.0.7-20, 7.0.7-21, 7.0.7-22, 7.0.7-23, 7.0.7-23 Q16, 7.0.7-24, 7.0.7-24 Q16, 7.0.7-25, 7.0.7-25 Q16, 7.0.7-26, 7.0.7-27, 7.0.7-28, 7.0.7-29, 7.0.7-30, 7.0.7-31, 7.0.7-32, 7.0.7-33, 7.0.7-34, 7.0.7-35, 7.0.7-36, 7.0.7-37, 7.0.7-38, 7.0.7-39, 7.0.7.7, 7.0.8-0, 7.0.8-1, 7.0.8-2, 7.0.8-3, 7.0.8-4, 7.0.8-5, 7.0.8-6, 7.0.8-7, 7.0.8-8, 7.0.8-9, 7.0.8-10, 7.0.8-11, 7.0.8-12, 7.0.8-13, 7.0.8-14, 7.0.8-15, 7.0.8-16, 7.0.8-17, 7.0.8-18, 7.0.8-19, 7.0.8-20, 7.0.8-21, 7.0.8-22, 7.0.8-23, 7.0.8-24, 7.0.8-25, 7.0.8-26, 7.0.8-27, 7.0.8-28, 7.0.8-29, 7.0.8-30, 7.0.8-31, 7.0.8-32, 7.0.8-33, 7.0.8-34, 7.0.8-35, 7.0.8-36, 7.0.8-37, 7.0.8-38, 7.0.8-39, 7.0.8-40, 7.0.8-41, 7.0.8-41 Q16, 7.0.8-42, 7.0.8-43, 7.0.8-43 Q16, 7.0.8-44, 7.0.8-45, 7.0.8-46, 7.0.8-47, 7.0.8-48, 7.0.8-49, 7.0.8-50, 7.0.8-50 Q16, 7.0.8-51, 7.0.8-52, 7.0.8-53, 7.0.8-54, 7.0.8-54 Q16, 7.0.8-55, 7.0.8-56, 7.0.8-57, 7.0.8-58, 7.0.8-59, 7.0.8-60, 7.0.8-61, 7.0.8-62, 7.0.8-63, 7.0.8-64, 7.0.8-65, 7.0.8-66, 7.0.8-67, 7.0.8-68, 7.0.9, 7.0.9-0, 7.0.9-1, 7.0.9-2, 7.0.9-4, 7.0.9-5, 7.0.9-6, 7.0.9-7, 7.0.9-8, 7.0.9-9, 7.0.9-10, 7.0.9-11, 7.0.9-12, 7.0.9-13, 7.0.9-14, 7.0.9-15, 7.0.9-16, 7.0.9-17, 7.0.9-18, 7.0.9-19, 7.0.9-20, 7.0.9-21, 7.0.9-22, 7.0.9-23, 7.0.9-24, 7.0.9-25, 7.0.9-26, 7.0.9-27, 7.0.10-0, 7.0.10-1, 7.0.10-2, 7.0.10-3, 7.0.10-4, 7.0.10-5, 7.0.10-6, 7.0.10-7, 7.0.10-8, 7.0.10-9, 7.0.10-10, 7.0.10-11, 7.0.10-12, 7.0.10-13, 7.0.10-14, 7.0.10-15, 7.0.10-16, 7.0.10-17, 7.0.10-18, 7.0.10-19, 7.0.10-20, 7.0.10-21, 7.0.10-22, 7.0.10-23, 7.0.10-24, 7.0.10-25, 7.0.10-26, 7.0.10-27, 7.0.10-28, 7.0.10-29, 7.0.10-30, 7.0.10-31, 7.0.10-32, 7.0.10-33, 7.0.10-34, 7.0.10-35, 7.0.10-36, 7.0.10-37, 7.0.10-38, 7.0.10-39

CPE2.3 External links

http://github.com/ImageMagick/ImageMagick/discussions/2851
http://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###