Researchers from the company Metabase Q disclosed the details two security vulnerabilities in the software ImageMagick , which is a console image editor, which is often used for batch processing of bitmap files. The vulnerabilities found could potentially lead to websites crashing and disclosure of confidential information.

• CVE-2022-44267 is a DoS vulnerability that occurs when parsing a PNG image with a filename consisting of a single dash (“-“).
• CVE-2022-44268 is an information disclosure vulnerability that can be used to read arbitrary files from a server while parsing an image.

It is worth noting that both vulnerabilities can only be exploited when using ImageMagick to directly upload or process images on the target website.

If you specify “-” (hyphen) as the name for an image, the site may freeze and become unresponsive when trying to read its content. Similarly, if the name of an image refers to a real file located on the server, ImageMagick’s image processing operation could potentially access it, allowing sensitive information to be obtained or malicious code to be embedded in the file.

This is not the first time that ImageMagick’s security vulnerabilities have been discovered. May 2016 many flaws were found in the software, one of which, called ImageTragick could be used for remote code execution when processing user-submitted images.

And a few years later, in November 2020, a shell injection vulnerability was discovered, in which an attacker could insert arbitrary commands when converting encrypted PDF files to images using the “-authenticate” command line parameter.