Two security issues in the open source programme ImageMagick that have the potential to reveal information or cause a DoS condition have been detailed by experts.
The open source image processing program ImageMagick has a few security flaws that might possibly result in information exposure or cause a Denial of Service (DoS) event, according to researchers at Metabase Q. (CVE-2022-44268, CVE-2022-44267).
Raster and vector picture files can be viewed, converted, and edited using the free and open-source software package ImageMagick. When parsing a PNG picture with a filename that only contains a single dash (“-“), the CVE-2022-44267 vulnerability, a DoS problem, can be activated.
When parsing an image, the CVE-2022-44268 vulnerability is an information disclosure bug that can be used to access any files from a server. The software may have included the content of any external file when it parses a PNG image (for example, to resize) (if the ImageMagick binary has permissions to read it).
An attacker must use the ImageMagick programme to upload a specially created image to a website in order to remotely exploit the flaws. By including a text chunk that specifies certain metadata, such as the filename, which must be set to “-” for exploitation, the attacker can create the picture. The two flaws impact ImageMagick version 7.1.0-49 of the programme; they were fixed in version 7.1.0-52, which was released in November 2022.
Open-source libraries like ImageMagick have serious security flaws that outside attackers can take advantage of. In Mat 2016, the security researcher John Graham-Cumming from CloudFlare claimed that his company had only just found a serious vulnerability in the well-known image editing programme ImageMagick, code-named CVE-2016-3714 (or ImageTragick).
Hackers may use the vulnerability to take control of websites that are using the popular image-editing programme. The ImageMagick App is vulnerable, which gives attackers access to the targeted web servers that use the app to resize or crop user-uploaded photos.