CVE-2019-19950

moderate-risk
Published 2019-12-24

In GraphicsMagick 1.4 snapshot-20190403 Q8, there is a use-after-free in ThrowException and ThrowLoggedException of magick/error.c.

Do I need to act?

~
1.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (6)

Affected Vendors

Debian Graphicsmagick Opensuse

References (12)

Mailing List http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/44ab7f6c20b4
Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00026.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00064.html
Mailing List https://lists.debian.org/debian-lts-announce/2020/01/msg00029.html
Exploit https://sourceforge.net/p/graphicsmagick/bugs/603/
Third Party Advisory https://www.debian.org/security/2020/dsa-4640
Mailing List http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/44ab7f6c20b4
Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00026.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00064.html
Mailing List https://lists.debian.org/debian-lts-announce/2020/01/msg00029.html
Exploit https://sourceforge.net/p/graphicsmagick/bugs/603/
Third Party Advisory https://www.debian.org/security/2020/dsa-4640
49
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 4/34 · Minimal
Exposure 13/34 · Low