CVE-2020-27752

Publication date 8 December 2020

Last updated 16 October 2024


Ubuntu priority

Cvss 3 Severity Score

7.1 · High

Score breakdown

A flaw was found in ImageMagick in MagickCore/quantum-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger a heap buffer overflow. This would most likely lead to an impact to application availability, but could potentially lead to an impact to data integrity as well. This flaw affects ImageMagick versions prior to 7.0.9-0.

Read the notes from the security team

Status

Package Ubuntu Release Status
imagemagick 24.10 oracular
Not affected
24.04 LTS noble
Not affected
23.10 mantic
Not affected
23.04 lunar
Not affected
22.10 kinetic
Not affected
22.04 LTS jammy
Not affected
21.10 impish
Not affected
21.04 hirsute
Not affected
20.10 groovy Ignored end of life
20.04 LTS focal
Vulnerable, fix deferred
18.04 LTS bionic
Vulnerable, fix deferred
16.04 LTS xenial
Vulnerable, fix deferred
14.04 LTS trusty Ignored end of ESM support, was deferred

Notes


mdeslaur

need to clarify exact patch, see Debian comment on upstream bug


yomonokio

there is no poc for this CVE

Severity score breakdown

Parameter Value
Base score 7.1 · High
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H