Vulnerability CVE-2019-12921

Vulnerability Name:

CVE-2019-12921 (CCN-179149)

Assigned:

2019-06-20

Published:

2019-06-20

Updated:

2022-03-31

Summary:

In GraphicsMagick before 1.3.32, the text filename component allows remote attackers to read arbitrary files via a crafted image because of TranslateTextEx for SVG.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

3.3 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
2.9 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

1.7 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-77

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2019-12921

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:0416

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:0429

Source: CCN
Type: GraphicsMagick Web site
GraphicsMagick Image Processing System

Source: MISC
Type: Product, Vendor Advisory
http://www.graphicsmagick.org/

Source: XF
Type: UNKNOWN
graphicsmagick-cve201912921-info-disc(179149)

Source: MISC
Type: Third Party Advisory
https://github.com/d0ge/data-processing/blob/master/CVE-2019-12921.md

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200321 [SECURITY] [DLA 2152-1] graphicsmagick security update

Source: DEBIAN
Type: Third Party Advisory
DSA-4675

Vulnerable Configuration:

Configuration 1:

cpe:/a:graphicsmagick:graphicsmagick:*:*:*:*:*:*:*:* (Version < 1.3.32)

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*

OR cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:graphicsmagick:graphicsmagick:1.3.31:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201912921	V	CVE-2019-12921	2022-09-02
oval:org.opensuse.security:def:93583	P	(Moderate)	2021-10-27
oval:org.opensuse.security:def:64602	P	Security update for pcre (Moderate)	2021-10-27
oval:org.opensuse.security:def:63493	P	libsndfile1-32bit-1.0.28-5.5.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62997	P	cargo-1.43.1-12.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62791	P	libjasper-devel-2.0.14-3.19.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62794	P	libkpathsea6-6.2.3-19.4 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62819	P	libvdpau-devel-1.1.1-1.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62787	P	libgypsy-devel-0.9-2.30 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:74656	P	Security update for apache-commons-compress (Important)	2021-08-05
oval:org.opensuse.security:def:64544	P	Security update for sqlite3 (Important)	2021-07-14
oval:org.opensuse.security:def:64714	P	Security update for tpm2.0-tools (Moderate)	2021-06-17
oval:org.opensuse.security:def:100296	P	(Moderate)	2021-01-22
oval:org.opensuse.security:def:64442	P	Security update for openssl-1_1 (Important)	2020-12-09
oval:org.opensuse.security:def:63290	P	openslp-server-2.0.0-6.12.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63640	P	libwpd-0_10-10-0.10.2-3.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:64335	P	libjansson-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:63869	P	Security update for audit (Moderate)	2020-12-01
oval:org.opensuse.security:def:64198	P	ruby2.5-rubygem-activejob-5_1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:74789	P	Security update for GraphicsMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:64334	P	libipa_hbac-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:110451	P	Security update for GraphicsMagick (Moderate)	2020-03-31
oval:com.ubuntu.bionic:def:2019129210000000	V	CVE-2019-12921 on Ubuntu 18.04 LTS (bionic) - medium.	2020-03-18
oval:com.ubuntu.xenial:def:2019129210000000	V	CVE-2019-12921 on Ubuntu 16.04 LTS (xenial) - medium.	2020-03-18

BACK