Researchers found two security vulnerabilities in the ImageMagick tool that could trigger denial of service attacks or leak data. The vendors patched the bugs in time, preventing any active exploitation. Users must ensure updating to the latest patched releases to avoid any mishap.
Multiple Vulnerabilities Spotted In ImageMagick Tool
According to a recent post from the cybersecurity firm Metabase Q, their researchers found two security issues in the ImageMagick graphics tool.
ImageMagick is an open-source software for image conversion, designing, and editing. Given its free availability and support for a large number of file formats (200+), ImageMagick is a popular tool among graphic designers and web developers, particularly those dealing with open-source apps.
Specifically, the researchers found the following two vulnerabilities affecting ImageMagick.
- CVE-2022-44267: a denial-of-service (DoS) vulnerability that affected the image conversion feature when parsing PNG files. According to the researchers, parsing .png files could “leave the convert process waiting for stdin input.”
- CVE-2022-44268: an information disclosure vulnerability that could leak data from arbitrary remote files when parsing PNG images in the resulting image.
Exploiting both vulnerabilities simply required an attacker to upload a malicious PNG image file to the target website using ImageMagick. The researchers have shared a detailed technical analysis of both vulnerabilities in their post.
Vendors Patched The Flaws
Metabase Q’s Ocelot team discovered these images when analyzing the then-latest version of ImageMagick 7.1.0-49. Following this discovery, they promptly reported the matter to ImageMagick developers.
Consequently, the app developers worked on fixing the vulnerabilities, ultimately releasing the patches with the subsequent app release.
Their site now lists the ImageMagick 7.1.0-60 version as the latest release. Hence, to ensure receiving all the feature updates and bug fixes, users must update their websites and systems with this release at the earliest.
Let us know your thoughts in the comments.