CVE-2023-5349
Memory Leak vulnerability in rmagick (RubyGems)
What is CVE-2023-5349 About?
This is a memory leak flaw in ruby-magick, an interface for ImageMagick, which can cause a denial of service by memory exhaustion. Malicious input can lead to continuous memory consumption, eventually crashing the application. Exploitation is likely to be of moderate difficulty, requiring specific input that triggers the leak.
Affected Software
Technical Details
The vulnerability centers around a memory leak within the ruby-magick library when processing certain image operations. It is an interface between Ruby applications and the ImageMagick library. When specific types of input or image manipulation requests are made through ruby-magick, the underlying ImageMagick operations or ruby-magick's handling of these operations fail to properly release allocated memory. This continuous accumulation of unreleased memory, if triggered repeatedly or with large enough inputs, can exhaust the system's available memory, leading to a denial of service (DoS) for the affected service.
What is the Impact of CVE-2023-5349?
Successful exploitation may allow attackers to disrupt application availability, degrade system performance, or cause the application to become unresponsive by consuming excessive resources.
What is the Exploitability of CVE-2023-5349?
Exploitation depends on an application using ruby-magick to process user-controlled input, typically image files or parameters. The complexity is likely moderate, requiring an attacker to understand how to craft input that triggers the memory leak. There are no specific authentication or privilege requirements if the ruby-magick functionality is exposed to unauthenticated users, making it a potentially remote attack. If only authenticated users can upload or manipulate images, then authentication would be required. The primary risk factor is applications that process untrusted image data using ruby-magick.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-5349?
Available Upgrade Options
- rmagick
- <5.3.0 → Upgrade to 5.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rmagick/rmagick
- https://github.com/advisories/GHSA-frgf-8jr5-j2jv
- https://github.com/rmagick/rmagick/issues/1401
- https://github.com/rmagick/rmagick/issues/1401
- https://github.com/rmagick/rmagick/commit/fec7a7e639ae565386f7615155dbcf49b957b64a
- https://nvd.nist.gov/vuln/detail/CVE-2023-5349
- https://access.redhat.com/security/cve/CVE-2023-5349
- https://access.redhat.com/security/cve/CVE-2023-5349
- https://github.com/rmagick/rmagick/commit/02f37ca0d6c2b8fff316e0668efa690f5c90a429
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S3XMQ2KWPYGT447EKPENGXXHKAQ5NUWF/
What are Similar Vulnerabilities to CVE-2023-5349?
Similar Vulnerabilities: CVE-2023-34106 , CVE-2023-28828 , CVE-2023-45802 , CVE-2023-35805 , CVE-2023-4122
