CVE-2021-39212

Name
CVE-2021-39212
Description
ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain="module" rights="none" pattern="PS" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr
MISC https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68
MISC https://github.com/ImageMagick/ImageMagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* imagemagick >= 6.9.12-0 < 6.9.12-22
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* imagemagick >= 7.1.0-0 < 7.1.0-7

Vulnerable and fixed packages

Source package Branch Version Maintainer Status