CVE-2021-39212 : ImageMagick is free software delivered as a ready-to-run binary distribution or

ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain="module" rights="none" pattern="PS" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />.

Published 2021-09-13 18:15:24

Updated 2023-05-22 02:15:11

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2021-39212

Imagemagick » Imagemagick
Versions from including (>=) 7.1.0-0 and before (<) 7.1.0-7
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Matching versions
Imagemagick » Imagemagick
Versions from including (>=) 6.9.12-0 and before (<) 6.9.12-22
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-39212

EPSS FAQ

0.02%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 4 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-39212

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.6	LOW	AV:L/AC:L/Au:N/C:P/I:P/A:N	3.9	4.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
3.6	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N	1.0	2.5	NIST
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None
4.4	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N	1.8	2.5	GitHub, Inc.
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2021-39212

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Assigned by: nvd@nist.gov (Secondary)
CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2021-39212

https://lists.debian.org/debian-lts-announce/2023/05/msg00020.html

[SECURITY] [DLA 3429-1] imagemagick security update

CVEs referencing this url
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr

Possible Security Issue when Configuring the ImageMagick Security Policy · Advisory · ImageMagick/ImageMagick · GitHub
Third Party Advisory
https://github.com/ImageMagick/ImageMagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e

Added missing policy checks in RegisterStaticModules. · ImageMagick/ImageMagick@35893e7 · GitHub
Patch;Third Party Advisory
https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68

Use the correct rights. · ImageMagick/ImageMagick@01faddb · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-39212

Products affected by CVE-2021-39212

Exploit prediction scoring system (EPSS) score for CVE-2021-39212

CVSS scores for CVE-2021-39212

CWE ids for CVE-2021-39212

References for CVE-2021-39212