Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-1114: heap-use-after-free in RelinquishDCMInfo of dcm.c

A heap-use-after-free flaw was found in ImageMagick’s RelinquishDCMInfo() function of dcm.c file. This vulnerability is triggered when an attacker passes a specially crafted DICOM image file to ImageMagick for conversion, potentially leading to information disclosure and a denial of service.

CVE
#vulnerability#linux#red_hat#dos#git

Bug 2064538 (CVE-2022-1114) - CVE-2022-1114 ImageMagick: heap-use-after-free in RelinquishDCMInfo of dcm.c

Summary: CVE-2022-1114 ImageMagick: heap-use-after-free in RelinquishDCMInfo of dcm.c

Keywords:

Status:

CLOSED NOTABUG

Alias:

CVE-2022-1114

Product:

Security Response

Classification:

Other

Component:

vulnerability

Sub Component:

Version:

unspecified

Hardware:

All

OS:

Linux

Priority:

medium

Severity:

medium

Target Milestone:

Assignee:

Red Hat Product Security

QA Contact:

Docs Contact:

URL:

Whiteboard:

Depends On:

2066640

Blocks:

2064539 2069109

TreeView+

depends on / blocked

Reported:

2022-03-16 06:47 UTC by TEJ RATHI

Modified:

2022-04-05 19:59 UTC (History)

CC List:

11 users (show)

Fixed In Version:

ImageMagick6 v6.9.12-43, ImageMagick7 v7.1.0-28

Doc Type:

If docs needed, set a value

Doc Text:

A heap-use-after-free flaw was found in ImageMagick’s RelinquishDCMInfo() function of dcm.c file. This vulnerability is triggered when an attacker passes a specially crafted DICOM image file to ImageMagick for conversion, potentially leading to information disclosure and a denial of service.

Clone Of:

Environment:

Last Closed:

2022-03-22 13:01:58 UTC

Attachments

(Terms of Use)

Add an attachment (proposed patch, testcase, etc.)

Description TEJ RATHI 2022-03-16 06:47:43 UTC

A heap-use-after-free vulnerability was found in ImageMagick’s RelinquishDCMInfo function of dcm.c.

References: https://github.com/ImageMagick/ImageMagick/issues/4947

Comment 2 TEJ RATHI 2022-03-22 08:56:10 UTC

Created ImageMagick tracking bugs for this issue:

Affects: fedora-all [bug 2066640]

Note You need to log in before you can comment on or make changes to this bug.

Related news

CVE-2022-1227: Privilege escalation in 'podman top'

A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.

CVE-2022-0985: 2064117 – (CVE-2022-0985, MSA-22-0006) CVE-2022-0985 moodle: Users with moodle/site:uploadusers but without moodle/user:delete could delete users

Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.

CVE-2022-1048: [PATCH 0/4] ALSA: pcm: Fix ioctl races

A use-after-free flaw was found in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.

CVE-2022-1249: NULL pointer dereference in cms_set_pw_data()

A NULL pointer dereference flaw was found in pesign's cms_set_pw_data() function of the cms_common.c file. The function fails to handle the NULL pwdata invocation from daemon.c, which leads to an explicit NULL dereference and crash on all attempts to daemonize pesign.

CVE-2021-39082: Security Bulletin: UC Deploy Container images may contain non-unique https certificates and database encryption key. (CVE-2021-39082 )

IBM UrbanCode Deploy (UCD) 7.1.1.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

CVE-2022-1015: CVE-2022-1015,CVE-2022-1016 in nf_tables cause privilege escalation, information leak

A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.

CVE-2022-1195: git/torvalds/linux.git - Linux kernel source tree

A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early.

CVE-2022-1353: af_key: add __GFP_ZERO flag for compose_sadb_supported in function pf… · torvalds/linux@9a564bc

A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.

CVE-2021-41948: 1-click stored XSS from admin panel to site · Issue #8 · intelliants/subrion-plugin-contact_us

A cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS <= 4.2.1 version via "List of subjects".

CVE-2022-24900: Merge pull request #351 from porcupineyhairs/FixPathInjection · onlaj/Piano-LED-Visualizer@3f10602

Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to a path traversal attack. The `os.path.join` call is unsafe for use with untrusted input. When the `os.path.join` call encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path. Since the "malicious" parameter represents an absolute path, the result of `os.path.join` ignores the static directory completely. Hence, untrusted input is passed via the `os.path.join` call to `flask.send_file` can lead to path traversal attacks. A patch with a fix is available on the `master` branch of the GitHub repository. This can also be fixed by preventing flow of untrusted data to the vulnerable `send_file` function. In case the application logic necessiates this behaviour, one can either use the `flask.safe_join` to join untrusted paths or replace `flask.send_file` ...

CVE-2022-1536: CVEproject/automad<=1.10.9 Stored Cross-Site Scripting(XSS).md at main · xiahao90/CVEproject

A vulnerability has been found in automad up to 1.10.9 and classified as problematic. This vulnerability affects the Dashboard. The manipulation of the argument title with the input Home</title><script>alert("home")</script><title> leads to a cross site scripting. The attack can be initiated remotely but requires an authentication. The exploit details have disclosed to the public and may be used.

Security Turbulence in the Cloud: Survey Says…

Exclusive Threatpost research examines organizations’ top cloud security concerns, attitudes towards zero-trust and DevSecOps.

CVE-2022-1533: Buffer Over-read in libmobi

Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to 0.11. This vulnerability is capable of arbitrary code execution.

CVE-2022-1531: avoid SQL injection exploits · RTXteam/RTX@fa2797e

SQL injection vulnerability in ARAX-UI Synonym Lookup functionality in GitHub repository rtxteam/rtx prior to checkpoint_2022-04-20 . This vulnerability is critical as it can lead to remote code execution and thus complete server takeover.

GHSA-p3w3-4ppm-c3f6: Cross site scripting in FacturaScripts

FacturaScripts prior to version 2022.06 is vulnerable to stored cross-site scripting via upload plugin functionality in zip format.

CVE-2022-24449: GitHub - jet-pentest/CVE-2022-24449: Solar Appscreener XXE

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.

GHSA-f6p5-76fp-m248: URL Rewrite vulnerability in multiple zendframework components

zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism. When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content.

GHSA-3qrq-r688-vvh4: Multiple valid tokens for password reset in Shopware

### Impact Multiple tokens for password reset could be requested. All tokens could be used to change the password. This makes it possible for an attacker to take over the victims account if s/he gains access to the victims email account and finds unused password reset token in the emails within the time frame of two hours. ### Patches We recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-9 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022

GHSA-pf38-v6qj-j23h: Malfunction of CSRF token validation in Shopware

### Impact The CSRF tokens were not renewed after login and logout. An attacker could impersonate the victim if the attacker is able to use the same device as the victim used beforehand. ### Patches We recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-9 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022

GHSA-m98g-63qj-fp8j: Reflected XSS on clients-registrations endpoint

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. When a malicious request is sent to the client registration endpoint, the error message is not properly escaped, allowing an attacker to execute malicious scripts into the user's browser. ### Acknowledgement Keycloak would like to thank Quentin TEXIER (Pentester at Opencyber) for reporting this issue.

GHSA-4g29-fccr-p59w: Reflected Cross-site Scripting in Shopware storefront

### Impact Not-stored XSS in storefront. Request parameter were directly assigned to the template, so that malicious code could be send via an URL. ### Patches We recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-9 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022

CVE-2022-22322: Security Bulletin: IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2022-22322)

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 218370.

CVE-2022-22427: IBM InfoSphere Information Server cross-site scripting CVE-2022-22427 Vulnerability Report

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 223720.

CVE-2022-29584: Security Announcements - XSS exploit in 'External media' block in Mahara before 20.10.5, 21.04.4, and 21.10.2 - Mahara ePortfolio System

Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for embedly is used, and JavaScript code is constructed to perform an action.

CVE-2022-22441: IBM InfoSphere Information Server privilege escalation CVE-2022-22441 Vulnerability Report

IBM InfoSphere Information Server 11.7 could allow an authenticated user to view information of higher privileged users and groups due to a privilege escalation vulnerability. IBM X-Force ID: 224426.

CVE-2021-38952: Security Bulletin: IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2021-38952)

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 211408.

CVE-2022-29585: Security Announcements - Group search list shows too many results from page 2 onwards in Mahara before 20.10.5, 21.04.4, and 21.10.2 - Mahara ePortfolio System

In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups are used. They are all shown from page 2 of the group results list (rather than only being shown for the institution that the viewer is a member of).

CVE-2022-22443: IBM InfoSphere Information Server cross-site scripting CVE-2022-22443 Vulnerability Report

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 224440.

CVE-2022-24873: Shopware 5 - Security Updates

Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin.

CVE-2022-28102: Cross-Site Scripting (XSS) - Security Issue · Issue #19 · housamz/php-mysql-admin-panel-generator

A cross-site scripting (XSS) vulnerability in PHP MySQL Admin Panel Generator v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected at /edit-db.php.

CVE-2022-28193: Security Bulletin: NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, Jetson TX1, Jetson TX2 Series (including Jetson TX2 NX) - April 2022

NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot module tegrabl_cbo.c, where insufficient validation of untrusted data may allow a local attacker to cause a memory buffer overflow, which may lead to code execution, loss of integrity, limited denial of service, and some impact to confidentiality.

CVE-2022-22315: Security Bulletin: UrbanCode Deploy users with create-resource permission for the standard resource type may create child resources inheriting custom types (CVE-2022-22315).

IBM UrbanCode Deploy (UCD) 7.2.2.1 could allow an authenticated user with special permissions to obtain elevated privileges due to improper handling of permissions. IBM X-Force ID: 217955.

CVE-2022-24372: Linksys Dual-Band Mesh-WLAN WiFi 6 Router (MR9600)

Linksys MR9600 devices before 2.0.5 allow attackers to read arbitrary files via a symbolic link to the root directory of a NAS SMB share.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907