CVE-2021-45463
HIGHGEGL < 0.4.34 - OS Command Injection via ImageMagick Convert Fallback
Title source: llmDescription
load_cache in GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load. NOTE: GEGL releases before 0.4.34 are used in GIMP releases before 2.10.30; however, this does not imply that GIMP builds enable the vulnerable feature.
References (8)
Core 8
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://gitlab.gnome.org/GNOME/gegl/-/blob/master/docs/NEWS.adoc
Patch, Third Party Advisory x_refsource_misc
https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b
Patch, Third Party Advisory x_refsource_misc
https://gitlab.gnome.org/GNOME/gimp/-/commit/e8a31ba4f2ce7e6bc34882dc27c97fba993f5868
Release Notes, Vendor Advisory x_refsource_misc
https://www.gimp.org/news/2021/12/21/gimp-2-10-30-released/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CG635WJCNXHJM5U4BGMAAP4NK2YFTQXK/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP5NDNOTMPI335FXE7VUPW7FXYTT7PYN/
Vendor Advisory x_refsource_confirm
https://gitlab.gnome.org/GNOME/gegl/-/issues/298
Scores
CVSS v3
7.8
EPSS
0.0206
EPSS Percentile
84.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
Status
published
Products (6)
fedoraproject/fedora
34
fedoraproject/fedora
35
gegl/gegl
< 0.4.34
gimp/gimp
< 2.10.30
redhat/enterprise_linux
7.0
redhat/enterprise_linux
8.0
Published
Dec 23, 2021
Tracked Since
Feb 18, 2026