QwikSec

Security Database

CVE

CWE

Training

CVE-2020-29599

Published: Dec 7, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

https://github.com/ImageMagick/ImageMagick/discussions/2851

[debian-lts-announce] 20210112 [SECURITY] [DLA 2523-1] imagemagick security update

mailing-list

vendor-advisory

[debian-lts-announce] 20230311 [SECURITY] [DLA 3357-1] imagemagick security update

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.