CVE-2021-4219

Vulnerability

A flaw in ImageMagick's MagicCore/draw.c component arises from improper use of open functions, leading to a denial of service. The vulnerability is triggered when ImageMagick processes a specially crafted SVG file, causing it to hang indefinitely while reading a file descriptor. Affected versions include all ImageMagick releases prior to the fix, though the exact version range is not specified in the available reference [1].

Exploitation

An attacker can exploit this vulnerability remotely by submitting a crafted SVG file to an application or service that uses ImageMagick to process images. No authentication or special privileges are required. The attacker's SVG causes ImageMagick to enter an infinite loop or hang while reading a file descriptor, resulting in a denial of service [1].

Impact

Successful exploitation leads to a denial of service, causing the ImageMagick process to hang or crash. This can render the affected service unavailable, potentially impacting availability of the system. No data confidentiality or integrity compromise is reported [1].

Mitigation

As of the publication date (2022-03-23), no official patch has been released for this vulnerability. Users are advised to restrict processing of untrusted SVG files as a workaround until a fix is available. Monitor ImageMagick updates for a patched version [1].