CVE-2024-41817
Published: 29 July 2024
Summary
CVE-2024-41817 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 7.0 (High).
Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
ImageMagick's AppImage packaging is affected by an untrusted search path vulnerability (CWE-427) in which the AppRun script sets the MAGICK_CONFIGURE_PATH and LD_LIBRARY_PATH environment variables to include an empty entry. This occurs because the script constructs the paths without properly handling the current working directory, allowing the ImageMagick 7.x AppImage (prior to version 7.11-36) to load configuration files or shared libraries from that location during execution.
An attacker with local access and the ability to write to a victim's current working directory can exploit the flaw by placing a malicious configuration file or library with a predictable name. When a user or process subsequently runs the AppImage, ImageMagick will load the attacker's code, resulting in arbitrary code execution with the privileges of the ImageMagick process. The CVSS 7.0 score reflects the local attack vector, high complexity, and low privileges required, with no user interaction needed.
The GitHub Security Advisory GHSA-8rxc-922v-phg8 and the referenced commit 6526a2b28510ead6a3e14de711bb991ad9abff38 document the root cause in the AppRun script and confirm the issue is resolved in ImageMagick 7.11-36 by ensuring the environment variables do not contain empty path components. The EPSS score has remained near 0.19 with only minor fluctuation since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-39202
Vulnerability details
ImageMagick is a free and open-source software suite, used for editing and manipulating digital images. The `AppImage` version `ImageMagick` might use an empty path when setting `MAGICK_CONFIGURE_PATH` and `LD_LIBRARY_PATH` environment variables while executing, which might lead to arbitrary code execution…
more
by loading malicious configuration files or shared libraries in the current working directory while executing `ImageMagick`. The vulnerability is fixed in 7.11-36.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.