CVE-2021-39212

{"id": "CVE-2021-39212", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.6, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.0}]}, "published": "2021-09-13T18:15:23.907", "references": [{"url": "https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ImageMagick/ImageMagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00020.html", "source": "security-advisories@github.com"}, {"url": "https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/ImageMagick/ImageMagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00020.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-668"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain=\"module\" rights=\"none\" pattern=\"PS\" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain=\"coder\" rights=\"none\" pattern=\"{PS,EPI,EPS,EPSF,EPSI}\" />."}, {"lang": "es", "value": "ImageMagick es un software libre que se entrega como una distribuci\u00f3n binaria lista para ser ejecutada o como un c\u00f3digo fuente que se puede usar, copiar, modificar y distribuir tanto en aplicaciones abiertas como propietarias. En las versiones afectadas y en determinados casos, los archivos Postscript pod\u00edan leerse y escribirse cuando se exclu\u00edan espec\u00edficamente mediante una pol\u00edtica de \"module\" en \"policy.xml\". ex. (policy domain=\"module\" rights=\"none\" pattern=\"PS\" /). El problema ha sido resuelto en ImageMagick versiones 7.1.0-7 y en 6.9.12-22. Afortunadamente, en la naturaleza, pocos usuarios usan la pol\u00edtica \"module\" y en su lugar usan la pol\u00edtica \"coder\" que es tambi\u00e9n nuestra recomendaci\u00f3n de soluci\u00f3n: (policy domain=\"coder\" rights=\"none\" pattern=\"{PS,EPI,EPS,EPSF,EPSI}\" /)"}], "lastModified": "2024-11-21T06:18:54.870", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF324E5C-BBC3-4F30-878E-EEBBAC19EBA3", "versionEndExcluding": "6.9.12-22", "versionStartIncluding": "6.9.12-0"}, {"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11251438-4BED-4401-8033-B2F084031287", "versionEndExcluding": "7.1.0-7", "versionStartIncluding": "7.1.0-0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}