Vulnerability Name:

CVE-2020-10938 (CCN-178370)

Assigned:2020-02-23
Published:2020-02-23
Updated:2022-01-01
Summary:GraphicsMagick before 1.3.35 has an integer overflow and resultant heap-based buffer overflow in HuffmanDecodeImage in magick/compress.c.
CVSS v3 Severity:9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.3 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-787
CWE-190
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2020-10938

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:0416

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:0429

Source: XF
Type: UNKNOWN
graphicsmagick-cve202010938-bo(178370)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200415 [SECURITY] [DLA 2173-1] graphicsmagick security update

Source: CCN
Type: GraphicsMagick GIT Repository
Merge changes for 1.3.35 into GraphicsMagick-1_3 branch

Source: MISC
Type: Third Party Advisory
https://sourceforge.net/p/graphicsmagick/code/ci/5b4dd7c6674140a115ec9424c8d19c6a458fac3e/

Source: DEBIAN
Type: Third Party Advisory
DSA-4675

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-10938

Vulnerable Configuration:Configuration 1:
  • cpe:/a:graphicsmagick:graphicsmagick:*:*:*:*:*:*:*:* (Version < 1.3.35)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:opensuse:backports:sle-15:sp1:*:*:*:*:*:*
  • OR cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:graphicsmagick:graphicsmagick:1.3.34:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:64602
    P
    		Security update for pcre (Moderate)
    2021-10-27
    oval:org.opensuse.security:def:93583
    P
    		 (Moderate)
    2021-10-27
    oval:org.opensuse.security:def:202010938
    V
    		CVE-2020-10938
    2021-10-24
    oval:org.opensuse.security:def:63493
    P
    		libsndfile1-32bit-1.0.28-5.5.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:62819
    P
    		libvdpau-devel-1.1.1-1.28 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62787
    P
    		libgypsy-devel-0.9-2.30 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62997
    P
    		cargo-1.43.1-12.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62791
    P
    		libjasper-devel-2.0.14-3.19.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62794
    P
    		libkpathsea6-6.2.3-19.4 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:74656
    P
    		Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:64544
    P
    		Security update for sqlite3 (Important)
    2021-07-14
    oval:org.opensuse.security:def:64714
    P
    		Security update for tpm2.0-tools (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:100296
    P
    		 (Moderate)
    2021-01-22
    oval:org.opensuse.security:def:64442
    P
    		Security update for openssl-1_1 (Important)
    2020-12-09
    oval:org.opensuse.security:def:63640
    P
    		libwpd-0_10-10-0.10.2-3.3.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63290
    P
    		openslp-server-2.0.0-6.12.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:74789
    P
    		Security update for GraphicsMagick (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64334
    P
    		libipa_hbac-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64335
    P
    		libjansson-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:63869
    P
    		Security update for audit (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64198
    P
    		ruby2.5-rubygem-activejob-5_1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:110451
    P
    		Security update for GraphicsMagick (Moderate)
    2020-03-31
    BACK
    graphicsmagick graphicsmagick *
    debian debian linux 8.0
    debian debian linux 9.0
    debian debian linux 10.0
    opensuse backports sle-15 sp1
    opensuse leap 15.1
    graphicsmagick graphicsmagick 1.3.34