CVE-2023-1289
March 23, 2023
A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.
Affected Packages
magick.net-q8-arm64 (NUGET):
Affected version(s) >=8.6.0 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-x64 (NUGET):
Affected version(s) >=6.8.5.401 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q8-arm64 (NUGET):
Affected version(s) >=8.6.0 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q8-x64 (NUGET):
Affected version(s) >=6.8.5.401 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-hdri-openmp-arm64 (NUGET):
Affected version(s) >=8.6.0 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-hdri-anycpu (NUGET):
Affected version(s) >=6.8.9.101 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q8-anycpu (NUGET):
Affected version(s) >=6.8.8.1001 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q8-openmp-x64 (NUGET):
Affected version(s) >=7.14.0 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-hdri-openmp-arm64 (NUGET):
Affected version(s) >=8.6.0 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q8-openmp-arm64 (NUGET):
Affected version(s) >=8.6.0 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-openmp-arm64 (NUGET):
Affected version(s) >=8.6.0 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-x86 (NUGET):
Affected version(s) >=6.8.5.401 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-anycpu (NUGET):
Affected version(s) >=6.8.8.1001 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q8-anycpu (NUGET):
Affected version(s) >=6.8.8.1001 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-hdri-arm64 (NUGET):
Affected version(s) >=8.6.0 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-hdri-x86 (NUGET):
Affected version(s) >=6.8.9.101 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-openmp-x64 (NUGET):
Affected version(s) >=7.14.0 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-hdri-x64 (NUGET):
Affected version(s) >=6.8.9.101 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q8-anycpu (NUGET):
Affected version(s) >=6.8.8.1001 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q8-x86 (NUGET):
Affected version(s) >=6.8.5.401 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-hdri-openmp-arm64 (NUGET):
Affected version(s) >=8.6.0 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-arm64 (NUGET):
Affected version(s) >=8.6.0 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-hdri-openmp-x64 (NUGET):
Affected version(s) >=7.14.0 <13.0.0Fix Suggestion:
Update to version 13.0.0magick.net-q16-hdri-openmp-arm64 (NUGET):
Affected version(s) >=8.6.0 <13.0.0Fix Suggestion:
Update to version 13.0.0Related Resources (8)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.8
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.5
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
EPSS
Base Score:
0.10
