{ "threat_severity" : "Low", "public_date" : "2022-01-18T00:00:00Z", "bugzilla" : { "description" : "ImageMagick: Heap buffer overread in GetPixelAlpha() declared in MagickCore/pixel-accessor.h", "id" : "2045943", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2045943" }, "cvss3" : { "cvss3_base_score" : "5.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "status" : "draft" }, "cwe" : "CWE-125", "details" : [ "A heap-based-buffer-over-read flaw was found in ImageMagick's GetPixelAlpha() function of 'pixel-accessor.h'. This vulnerability is triggered when an attacker passes a specially crafted Tagged Image File Format (TIFF) image to convert it into a PICON file format. This issue can potentially lead to a denial of service and information disclosure.", "A heap-based-buffer-over-read flaw was found in ImageMagick's GetPixelAlpha() function of 'pixel-accessor.h'. This vulnerability is triggered when an attacker passes a specially crafted Tagged Image File Format (TIFF) image to convert it into a PICON file format. This issue can potentially lead to a denial of service and information disclosure." ], "statement" : "The versions of ImageMagick shipped with Red Hat Enterprise Linux 6, 7 are ImageMagick v6.9.10 and lower. These contain a different code-base compared to upstream and the vulnerable code is not present in our code-base.", "acknowledgement" : "Red Hat would like to thank Zhang Jiaxing (CodeSafe Team Qi'Anxin Group) for reporting this issue.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "ImageMagick", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "ImageMagick", "cpe" : "cpe:/o:redhat:enterprise_linux:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-0284\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-0284" ], "name" : "CVE-2022-0284", "csaw" : false }