CVE-2023-5349 : A memory leak flaw was found in ruby-magick, an interface between Ruby and Image

A memory leak flaw was found in ruby-magick, an interface between Ruby and ImageMagick. This issue can lead to a denial of service (DOS) by memory exhaustion.

Published 2023-10-30 21:15:08

Updated 2023-11-09 02:15:08

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2023-5349

Fedoraproject » Fedora » Version: 37
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Matching versions
Rmagick » Rmagick » For Ruby
Versions before (<) 5.3.0
cpe:2.3:a:rmagick:rmagick:*:*:*:*:*:ruby:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-5349

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 27 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-5349

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.3	LOW	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L	1.8	1.4	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: Low
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	3.9	1.4	Red Hat, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

CWE ids for CVE-2023-5349

CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2023-5349

https://bugzilla.redhat.com/show_bug.cgi?id=2247064

2247064 – (CVE-2023-5349) CVE-2023-5349 rubygem-rmagick: Memory leak by Magick::Draw while calling GetDrawInfo()
Issue Tracking;Third Party Advisory
https://github.com/rmagick/rmagick/issues/1401

Huge memory consumption with latest imagemagick@6 update · Issue #1401 · rmagick/rmagick · GitHub
Exploit;Issue Tracking;Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-5349

CVE-2023-5349- Red Hat Customer Portal
Third Party Advisory
https://github.com/rmagick/rmagick/pull/1406

Fix memory leak in `Magick::Draw` for recentry ImageMagick 6 by removing unnecessary `GetDrawInfo()` calling by Watson1978 · Pull Request #1406 · rmagick/rmagick · GitHub
Patch
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S3XMQ2KWPYGT447EKPENGXXHKAQ5NUWF/

[SECURITY] Fedora 37 Update: rubygem-rmagick-5.2.0-2.fc37 - package-announce - Fedora Mailing-Lists

Jump to

Vulnerability Details : CVE-2023-5349

Products affected by CVE-2023-5349

Exploit prediction scoring system (EPSS) score for CVE-2023-5349

CVSS scores for CVE-2023-5349

CWE ids for CVE-2023-5349

References for CVE-2023-5349