CVE-2021-45463
First published: Thu Dec 23 2021(Updated: )
load_cache in GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load. NOTE: GEGL releases before 0.4.34 are used in GIMP releases before 2.10.30; however, this does not imply that GIMP builds enable the vulnerable feature.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gegl Gegl | <0.4.34 | |
| GIMP GIMP | <2.10.30 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://gitlab.gnome.org/GNOME/gegl/-/blob/master/docs/NEWS.adoc
- https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b
- https://gitlab.gnome.org/GNOME/gegl/-/issues/298
- https://gitlab.gnome.org/GNOME/gimp/-/commit/e8a31ba4f2ce7e6bc34882dc27c97fba993f5868
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CG635WJCNXHJM5U4BGMAAP4NK2YFTQXK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZP5NDNOTMPI335FXE7VUPW7FXYTT7PYN/
- https://www.gimp.org/news/2021/12/21/gimp-2-10-30-released/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CG635WJCNXHJM5U4BGMAAP4NK2YFTQXK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP5NDNOTMPI335FXE7VUPW7FXYTT7PYN/
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-45463.
What is the severity of CVE-2021-45463?
The severity of CVE-2021-45463 is high with a score of 7.8.
What is the affected software?
The affected software includes GEGL before version 0.4.34, GIMP before version 2.10.30, RedHat Enterprise Linux 7.0 and 8.0, and Fedora 34 and 35.
What is the cause of CVE-2021-45463?
The vulnerability is caused by the use of the system library function for execution of the ImageMagick convert fallback in magick-load.
How can I fix CVE-2021-45463?
To fix CVE-2021-45463, update GEGL to version 0.4.34 or later.
- collector/nvd-index
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/event
- agent/type
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- vendor/gegl
- canonical/gegl gegl
- vendor/gimp
- canonical/gimp gimp
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35