1735658 – (CVE-2019-1010174) CVE-2019-1010174 Cimg: command injection in function load_network()

Bug 1735658 (CVE-2019-1010174) - CVE-2019-1010174 Cimg: command injection in function load_network()

Summary: CVE-2019-1010174 Cimg: command injection in function load_network()

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-1010174
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-01 08:17 UTC by Dhananjay Arunesh
Modified:	2021-10-27 10:47 UTC (History)
CC List:	3 users (show)
Fixed In Version:	CImg 2.3.4
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-27 10:47:12 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2019-08-01 08:17:45 UTC

A vulnerability was found in CImg The CImg Library v.2.3.3 and earlier is affected by: command injection. The impact is: RCE. The component is: load_network() function. The attack vector is: Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url.

Reference:
https://framagit.org/dtschump/CImg/commit/5ce7a426b77f814973e56182a0e76a2b04904146

Note You need to log in before you can comment on or make changes to this bug.