CVE-2021-39212
low-risk
Published 2021-09-13
ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain="module" rights="none" pattern="PS" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />.
Do I need to act?
-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.4/10
Medium
LOCAL
/ LOW complexity
Affected Products (1)
Affected Vendors
References (8)
Third Party Advisory
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2...
Third Party Advisory
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2...
20
/ 100
low-risk
Severity
15/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal