CVE-2021-45463

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-45463
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-45463.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-45463
Downstream
Related
Published
2021-12-23T06:15:06.787Z
Modified
2026-03-10T23:40:30.546648Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

load_cache in GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load. NOTE: GEGL releases before 0.4.34 are used in GIMP releases before 2.10.30; however, this does not imply that GIMP builds enable the vulnerable feature.

References

Affected packages

Git / github.com/gnome/gimp

Affected ranges

Type
GIT
Repo
https://github.com/gnome/gimp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
cee406b593fb561efebc3664bdc0790fa45b9c47
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.10.30"
        }
    ]
}
Type
GIT
Repo
https://gitlab.gnome.org/GNOME/gegl
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
9aaf6b3525f3917c2d6add866afd33e4ee28510b
Fixed
bfce470f0f2f37968862129d5038b35429f2909b
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.4.34"
        }
    ]
}
Type
Repo
https://gitlab.gnome.org/GNOME/gimp
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
e8a31ba4f2ce7e6bc34882dc27c97fba993f5868

Affected versions

Other
BASE_ZERO
BEFORE_GIMAGE_IS_FLAT_REMOVAL
BEFORE_MATTS_CRAZY_TOOL_PATCH
BEFORE_TILE_MADNESS
FOR_PANEL
GEGL_0_0_14
GEGL_0_0_16
GEGL_0_0_4
GEGL_0_1_0_REAL
GEGL_0_1_2
GEGL_0_1_4
GEGL_0_1_6
GEGL_0_1_8
GEGL_0_2_0
GEGL_0_3_0
GEGL_0_3_10
GEGL_0_3_12
GEGL_0_3_14
GEGL_0_3_16
GEGL_0_3_18
GEGL_0_3_2
GEGL_0_3_20
GEGL_0_3_22
GEGL_0_3_24
GEGL_0_3_26
GEGL_0_3_28
GEGL_0_3_30
GEGL_0_3_34
GEGL_0_3_4
GEGL_0_3_6
GEGL_0_3_8
GEGL_0_4_0
GEGL_0_4_10
GEGL_0_4_12
GEGL_0_4_14
GEGL_0_4_16
GEGL_0_4_18
GEGL_0_4_2
GEGL_0_4_20
GEGL_0_4_24
GEGL_0_4_26
GEGL_0_4_28
GEGL_0_4_30
GEGL_0_4_32
GEGL_0_4_4
GEGL_0_4_6
GEGL_0_4_8
GEGL_20001120_v002
GEGL_BEFORE_CLEANUP
GIMP_0_99_16
GIMP_0_99_17
GIMP_0_99_18
GIMP_0_99_19
GIMP_0_99_20
GIMP_0_99_21
GIMP_0_99_22
GIMP_0_99_23
GIMP_0_99_24
GIMP_0_99_25
GIMP_0_99_27
GIMP_0_99_28
GIMP_0_99_29
GIMP_19990910
GIMP_1_0_0
GIMP_1_1_0
GIMP_1_1_1
GIMP_1_1_10
GIMP_1_1_11
GIMP_1_1_12
GIMP_1_1_13
GIMP_1_1_14
GIMP_1_1_15
GIMP_1_1_16
GIMP_1_1_17
GIMP_1_1_18
GIMP_1_1_19
GIMP_1_1_2
GIMP_1_1_20
GIMP_1_1_21
GIMP_1_1_22
GIMP_1_1_23
GIMP_1_1_24
GIMP_1_1_25
GIMP_1_1_26
GIMP_1_1_27
GIMP_1_1_28
GIMP_1_1_29
GIMP_1_1_3
GIMP_1_1_30
GIMP_1_1_31
GIMP_1_1_32
GIMP_1_1_4
GIMP_1_1_5
GIMP_1_1_6
GIMP_1_1_7
GIMP_1_1_8
GIMP_1_1_9
GIMP_1_2_0
GIMP_1_3_0
GIMP_1_3_1
GIMP_1_3_10
GIMP_1_3_11
GIMP_1_3_12
GIMP_1_3_13
GIMP_1_3_14
GIMP_1_3_15
GIMP_1_3_16
GIMP_1_3_17
GIMP_1_3_18
GIMP_1_3_19
GIMP_1_3_2
GIMP_1_3_20
GIMP_1_3_21
GIMP_1_3_22
GIMP_1_3_23
GIMP_1_3_24
GIMP_1_3_25
GIMP_1_3_26
GIMP_1_3_27
GIMP_1_3_3
GIMP_1_3_4
GIMP_1_3_5
GIMP_1_3_6
GIMP_1_3_7
GIMP_1_3_8
GIMP_1_3_9
GIMP_2_0_0
GIMP_2_0_1
GIMP_2_0_RC1
GIMP_2_10_0
GIMP_2_10_0_RC1
GIMP_2_10_0_RC2
GIMP_2_10_10
GIMP_2_10_12
GIMP_2_10_14
GIMP_2_10_16
GIMP_2_10_18
GIMP_2_10_2
GIMP_2_10_20
GIMP_2_10_22
GIMP_2_10_24
GIMP_2_10_26
GIMP_2_10_28
GIMP_2_10_4
GIMP_2_10_6
GIMP_2_10_8
GIMP_2_1_0
GIMP_2_1_1
GIMP_2_1_2
GIMP_2_1_3
GIMP_2_1_4
GIMP_2_1_5
GIMP_2_1_6
GIMP_2_1_7
GIMP_2_2_0
GIMP_2_2_1
GIMP_2_2_PRE1
GIMP_2_2_PRE2
GIMP_2_3_0
GIMP_2_3_1
GIMP_2_3_10
GIMP_2_3_11
GIMP_2_3_12
GIMP_2_3_13
GIMP_2_3_14
GIMP_2_3_16
GIMP_2_3_17
GIMP_2_3_18
GIMP_2_3_19
GIMP_2_3_2
GIMP_2_3_3
GIMP_2_3_4
GIMP_2_3_5
GIMP_2_3_6
GIMP_2_3_7
GIMP_2_3_8
GIMP_2_3_9
GIMP_2_4_0_RC1
GIMP_2_4_0_RC2
GIMP_2_4_0_RC3
GIMP_2_4_1
GIMP_2_5_0
GIMP_2_5_1
GIMP_2_5_2
GIMP_2_5_3
GIMP_2_5_4
GIMP_2_6_0
GIMP_2_6_1
GIMP_2_7_0
GIMP_2_7_1
GIMP_2_7_2
GIMP_2_7_3
GIMP_2_7_4
GIMP_2_7_5
GIMP_2_8_0
GIMP_2_8_0_RC1
GIMP_2_9_2
GIMP_2_9_4
GIMP_2_9_6
GIMP_2_9_8
GIMP_BEFORE_GTK_2_0
GNOME_2_4_BRANCHPOINT
GNOME_BASE
GNOME_PRINT_0_24
LIBRSVG_2_1_1
LIBRSVG_2_1_2
LIBRSVG_2_1_3
LIBRSVG_2_1_4
LIBRSVG_2_1_5
LIBRSVG_2_2_0
NEEDS_GIMP_2_3_10
PROJECT_SUNLIGHT_ANCHOR
ROSALIA_BEFORE_COMMITTING_DL_AND_GNOME_HELLO
SCRIPT_FU_BEFORE_TINYSCHEME
SCRIPT_FU_MERGE
SNAP_19971121
TINY_FU_0_9_3
TINY_FU_0_9_4
TINY_FU_0_9_5
TINY_FU_0_9_6
TINY_FU_0_9_7
TINY_FU_0_9_8
TINY_FU_1_0_0
TINY_FU_1_0_1
TINY_FU_1_0_RC1
TINY_FU_1_1_0
gimp
release-2-2-4
release-2-2-5
release-2-3-0
release-2-4-0
soc-2012-unified-transform-after-gsoc
soc-2012-unified-transform-before-gsoc

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "34"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "35"
            }
        ]
    }
]
vanir_signatures 
[
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2021-45463-545bf2e7",
        "target": {
            "file": "operations/common/magick-load.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "204656693516598797247944687334630417858",
                "205331999004398618638246065926072621471",
                "228401211117260601025838507140243530877",
                "128084200600833044840767920327319656820",
                "229353021992037806657788438028261732048",
                "277025921432043170450961430521714974645",
                "212021369364349033691515206338755461274",
                "42701105836285997329738907707896860258",
                "95804032509790756066560248792450264421",
                "150580133441633138264085914028941774675",
                "129882534599325522544587683728747787904",
                "229691599292752779220264139035702382086",
                "243679414377773392827599810021157269145",
                "187515048314288443767184081863520467544",
                "140017922328239657363293799199866067736"
            ]
        },
        "signature_version": "v1",
        "source": "https://gitlab.gnome.org/GNOME/gegl@bfce470f0f2f37968862129d5038b35429f2909b"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2021-45463-c5a1f042",
        "target": {
            "file": "operations/common/magick-load.c",
            "function": "load_cache"
        },
        "digest": {
            "length": 710.0,
            "function_hash": "280631963024744360037893231292509707580"
        },
        "signature_version": "v1",
        "source": "https://gitlab.gnome.org/GNOME/gegl@bfce470f0f2f37968862129d5038b35429f2909b"
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-45463.json"