CVE-2023-1906

A heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. An attacker could pass specially crafted file to convert, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.

Published: Apr 13, 2023
Updated: Apr 22, 2023
CVE: CVE-2023-1906
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWEs:

CWE-787
CWE-122

Affected Software
References

Software	From	Fixed in
imagemagick / imagemagick	7.1.1-4	7.1.1-4.x
imagemagick / imagemagick	-	6.9.12-84
fedoraproject / extra_packages_for_enterprise_linux	8.0	8.0.x
fedoraproject / fedora	37	37.x

https://access.redhat.com/security/cve/CVE-2023-1906
https://bugzilla.redhat.com/show_bug.cgi?id=2185714
https://github.com/ImageMagick/ImageMagick/commit/d7a8bdd7bb33cf8e58bc01b4a4f2ea5466f8c6b3
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-35q2-86c7-9247
https://github.com/ImageMagick/ImageMagick6/commit/e30c693b37c3b41723f1469d1226a2c814ca443d
https://lists.fedoraproject.org/archives/list/[email protected]/message/6655G3GPS42WQM32DJHUCZALI2URQSCO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6655G3GPS42WQM32DJHUCZALI2URQSCO/

Vulnerability Database

289,599

CVE-2023-1906