Low
CVE-2023-34152
CVE-2023-34152
Description
A vulnerability was found in ImageMagick. This security flaw cause a remote code execution vulnerability in OpenBlob with —enable-pipes configured.
Add Assessment
Technical Analysis
I saw this vulnerability and dug a bit because it is an improper fix to CVE-2016-5118, which was a big deal and I wanted to know what was missed. To be clear, this vulnerability is not a big deal. Where CVE-2016-5118 was vulnerable in a default configuration, this vulnerability requires a non-default, purposefully-vulnerable configuration. The maintainers for the project went so far as to revert the community-provided fix for this vulnerability claiming the behavior was a poorly-documented feature. From the issue on ImageMagick (https://github.com/ImageMagick/ImageMagick/issues/6339):
When --enable-pipes is used the user opens themselves up to a potential security risk when they don't filter the input. And you don't even need to use back ticks. It is also possible to do this magick '|cat test.txt > /tmp/leak|< logo.jpg' info: when the user of our library enables this option. And as we said before this option is not enabled by default but we should make it more clear what could happen when the user of our library enables this option.
This is not particularly surprising; enabling pipes in an application like this increases the complexity and makes proper sanitization much more difficult. Users should ensure that the application does not have this vulnerable option turned on.
CVSS V3 Severity and Metrics
General Information
Vendors
- fedoraproject,
- imagemagick,
- redhat
Products
- enterprise linux 6.0,
- enterprise linux 7.0,
- extra packages for enterprise linux 8.0,
- fedora 37,
- fedora 38,
- imagemagick
References
Advisory
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
