CVE-2022-1115

low-risk
Published 2022-08-29

A heap-buffer-overflow flaw was found in ImageMagick’s PushShortPixel() function of quantum-private.h file. This vulnerability is triggered when an attacker passes a specially crafted TIFF image file to ImageMagick for conversion, potentially leading to a denial of service.

Do I need to act?

-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Affected Vendors

Imagemagick

References (10)

Issue Tracking https://access.redhat.com/security/cve/CVE-2022-1115
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2067022
Patch https://github.com/ImageMagick/ImageMagick/commit/c8718305f120293d8bf13724f12eed...
Exploit https://github.com/ImageMagick/ImageMagick/issues/4974
Patch https://github.com/ImageMagick/ImageMagick6/commit/1f860f52bd8d58737ad8830722033...
Issue Tracking https://access.redhat.com/security/cve/CVE-2022-1115
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2067022
Patch https://github.com/ImageMagick/ImageMagick/commit/c8718305f120293d8bf13724f12eed...
Exploit https://github.com/ImageMagick/ImageMagick/issues/4974
Patch https://github.com/ImageMagick/ImageMagick6/commit/1f860f52bd8d58737ad8830722033...
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal