#VU64947 Integer overflow in ImageMagick


Published: 2022-07-06 | Updated: 2022-07-06

Vulnerability identifier: #VU64947

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-32545

CWE-ID: CWE-190

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ImageMagick
Client/Desktop applications / Multimedia software

Vendor: ImageMagick.org

Description

The vulnerability allows a remote attacker to perform a denial of service attack. 

The vulnerability exists due to integer overflow in coders/psd.c in the ImageMagick when processing crafted or untrusted input. A remote attacker can trick the victim into opening a specially crafted file and perform a denial of service attack. 

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ImageMagick: 7.1.0-0 - 7.1.0-27, 6.9.12-0 - 6.9.12-42

External links
http://bugzilla.redhat.com/show_bug.cgi?id=2091811
http://github.com/ImageMagick/ImageMagick/commit/9c9a84cec4ab28ee0b57c2b9266d6fbe68183512
http://github.com/ImageMagick/ImageMagick6/commit/450949ed017f009b399c937cf362f0058eacc5fa

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for ImageMagick
Ubuntu update for imagemagick
Amazon Linux AMI update for ImageMagick
Cloud Foundry Foundation cflinuxfs3 update for ImageMagick
Ubuntu update for imagemagick
Ubuntu update for imagemagick
SUSE update for ImageMagick
SUSE update for ImageMagick
SUSE update for ImageMagick
Denial of service in ImageMagick