CVE-2019-1010174

high-risk
Published 2019-07-25

CImg The CImg Library v.2.3.3 and earlier is affected by: command injection. The impact is: RCE. The component is: load_network() function. The attack vector is: Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url. The fixed version is: v.2.3.4.

Do I need to act?

~
6.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (3)

Cimg Library

Affected Vendors

Debian Cimg

References (6)

Patch https://framagit.org/dtschump/CImg/commit/5ce7a426b77f814973e56182a0e76a2b049041...
Mailing List https://lists.debian.org/debian-lts-announce/2019/09/msg00030.html
Mailing List https://lists.debian.org/debian-lts-announce/2020/10/msg00033.html
Patch https://framagit.org/dtschump/CImg/commit/5ce7a426b77f814973e56182a0e76a2b049041...
Mailing List https://lists.debian.org/debian-lts-announce/2019/09/msg00030.html
Mailing List https://lists.debian.org/debian-lts-announce/2020/10/msg00033.html
50
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 9/34 · Low
Exposure 9/34 · Low