CVE-2020-27756

low-risk

Published 2020-12-08

In ParseMetaGeometry() of MagickCore/geometry.c, image height and width calculations can lead to divide-by-zero conditions which also lead to undefined behavior. This flaw can be triggered by a crafted input file processed by ImageMagick and could impact application availability. The patch uses multiplication in addition to the function `PerceptibleReciprocal()` in order to prevent such divide-by-zero conditions. This flaw affects ImageMagick versions prior to 7.0.9-0.

Do I need to act?

0.13% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Imagemagick

Affected Vendors

Imagemagick

References (4)

Exploit https://bugzilla.redhat.com/show_bug.cgi?id=1894233

https://lists.debian.org/debian-lts-announce/2023/03/msg00008.html

Exploit https://bugzilla.redhat.com/show_bug.cgi?id=1894233

https://lists.debian.org/debian-lts-announce/2023/03/msg00008.html

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal