A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to the mishandling of the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c. It was discovered that ImageMagick does not properly release acquired memory in function MogrifyImageList() when some error conditions are met, or the "compare" option is used. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | ImageMagick | 2024-03-13 19:46 | ALAS-2024-1926 |
Amazon Linux 2 - Core | ImageMagick | 2020-10-22 17:05 | ALAS2-2020-1497 |
Amazon Linux 2 - Core | ImageMagick | 2024-01-19 01:51 | ALAS2-2024-2432 |
Amazon Linux 1 | php-pecl-imagick | 2020-06-23 07:03 | ALAS-2020-1391 |
Amazon Linux 1 | php54-pecl-imagick | 2023-08-21 12:14 | ALAS-2023-1810 |
Amazon Linux 1 | php55-pecl-imagick | 2023-08-21 12:14 | ALAS-2023-1812 |
Amazon Linux 1 | php56-pecl-imagick | 2023-08-21 12:14 | ALAS-2023-1811 |
Amazon Linux 1 | php70-pecl-imagick | 2023-08-21 12:14 | ALAS-2023-1813 |
Amazon Linux 1 | php71-pecl-imagick | 2023-08-21 12:14 | ALAS-2023-1814 |
Amazon Linux 1 | php72-pecl-imagick | 2023-08-21 12:14 | ALAS-2023-1815 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv3 | 5.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
NVD | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:N/I:N/A:P |
NVD | CVSSv3 | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |