CVE-2023-5349 - OpenCVE

A memory leak flaw was found in ruby-magick, an interface between Ruby and ImageMagick. This issue can lead to a denial of service (DOS) by memory exhaustion.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Rmagick	Rmagick
Fedoraproject	Fedora

Configuration 1 [-]

cpe:2.3:a:rmagick:rmagick:*:*:*:*:*:ruby:*:*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2023-5349	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2247064	Issue Tracking Third Party Advisory
https://github.com/rmagick/rmagick/issues/1401	Exploit Issue Tracking Third Party Advisory
https://github.com/rmagick/rmagick/pull/1406	Patch
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S3XMQ2KWPYGT447EKPENGXXHKAQ5NUWF/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2023-10-30T20:27:59.972Z

Updated: 2023-10-30T20:27:59.972Z

Reserved: 2023-10-03T11:23:23.861Z

Link: CVE-2023-5349

JSON object: View

NVD Information

Status : Modified

Published: 2023-10-30T21:15:07.643

Modified: 2023-11-09T02:15:08.000

Link: CVE-2023-5349

JSON object: View

Redhat Information

No data.

CWE

CWE-401

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-5349", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-10-03T11:23:23.861Z", "datePublished": "2023-10-30T20:27:59.972Z", "dateUpdated": "2023-10-30T20:27:59.972Z"}, "containers": {"cna": {"title": "Draw while calling getdrawinfo()", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A memory leak flaw was found in ruby-magick, an interface between Ruby and ImageMagick. This issue can lead to a denial of service (DOS) by memory exhaustion."}], "affected": [{"product": "rmagick", "vendor": "n/a", "defaultStatus": "affected"}, {"vendor": "Red Hat", "product": "Red Hat 3scale API Management Platform 2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "3scale-amp-system-container", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:red_hat_3scale_amp:2"]}, {"product": "Fedora", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "rubygem-rmagick", "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-5349", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2247064", "name": "RHBZ#2247064", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/rmagick/rmagick/issues/1401"}, {"url": "https://github.com/rmagick/rmagick/pull/1406"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S3XMQ2KWPYGT447EKPENGXXHKAQ5NUWF/"}], "datePublic": "2023-07-07T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "description": "Missing Release of Memory after Effective Lifetime", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-401: Missing Release of Memory after Effective Lifetime", "timeline": [{"lang": "en", "time": "2023-08-13T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-07-07T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-10-30T20:27:59.972Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rmagick:rmagick:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "B9093FAF-BBDD-4BAD-9274-6896A5F0BF47", "versionEndExcluding": "5.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A memory leak flaw was found in ruby-magick, an interface between Ruby and ImageMagick. This issue can lead to a denial of service (DOS) by memory exhaustion."}, {"lang": "es", "value": "Se encontr\u00f3 una falla de p\u00e9rdida de memoria en Ruby-Magick, una interfaz entre Ruby e ImageMagick. Este problema puede provocar una denegaci\u00f3n de servicio (DOS) por agotamiento de la memoria."}], "id": "CVE-2023-5349", "lastModified": "2023-11-09T02:15:08.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-10-30T21:15:07.643", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-5349"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2247064"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/rmagick/rmagick/issues/1401"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "https://github.com/rmagick/rmagick/pull/1406"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S3XMQ2KWPYGT447EKPENGXXHKAQ5NUWF/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-401"}], "source": "secalert@redhat.com", "type": "Secondary"}]}