First published: Mon Dec 07 2020(Updated: )
ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
ImageMagick ImageMagick | >=6.9.8-1<6.9.11-40 | |
ImageMagick ImageMagick | >=7.0.5-3<7.0.10-40 | |
Debian Debian Linux | =9.0 | |
ubuntu/imagemagick | <8:6.9.11.57+dfsg-1 | 8:6.9.11.57+dfsg-1 |
ubuntu/imagemagick | <8:6.9.10.23+dfsg-2.1ubuntu11.9 | 8:6.9.10.23+dfsg-2.1ubuntu11.9 |
debian/imagemagick | <=8:6.9.10.23+dfsg-2.1+deb10u1 | 8:6.9.10.23+dfsg-2.1+deb10u7 8:6.9.11.60+dfsg-1.3+deb11u2 8:6.9.11.60+dfsg-1.3+deb11u3 8:6.9.11.60+dfsg-1.6 8:6.9.11.60+dfsg-1.6+deb12u1 8:6.9.12.98+dfsg1-5 8:6.9.12.98+dfsg1-5.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-29599 is a vulnerability in ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 that mishandles the -authenticate option.
The severity of CVE-2020-29599 is high with a severity value of 7.8.
ImageMagick versions before 6.9.11-40 and 7.x before 7.0.10-40 are affected by CVE-2020-29599.
Upgrade to ImageMagick version 6.9.11-40 or 7.0.10-40 or later to fix CVE-2020-29599.
You can find more information about CVE-2020-29599 on the CVE website: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29599