"Experts Warn of Two Flaws in Popular Open-Source Software ImageMagick"

Researchers at Metabase Q found two security flaws in the open-source image manipulation software ImageMagick that could lead to information exposure or a Denial-of-Service (DoS) condition. ImageMagick is a free, open-source software suite for displaying, converting, and modifying raster and vector image files. One of the flaws, tracked as CVE-2022-44267, is a DoS vulnerability that can be caused by parsing a PNG image with a single dash filename. The other flaw, tracked as CVE-2022-44268, is an information disclosure vulnerability that can be used to read arbitrary files from a server when parsing an image. To remotely exploit the vulnerabilities, an attacker must upload a specially crafted image to a website using ImageMagick. The attacker can create the image by inserting a text chunk specifying certain metadata, such as the filename, which must be set to "-" for exploitation. The two vulnerabilities impact ImageMagick version 7.1.0-49. This article continues to discuss the two security flaws found in the open-source software ImageMagick that could result in information disclosure or trigger a DoS condition.

Security Affairs reports "Experts Warn of Two Flaws in Popular Open-Source Software ImageMagick"