CVE-2022-44267: 
JavaScript vulnerability analysis and mitigation

ImageMagick version 7.1.0-49 was found to contain a Denial of Service vulnerability identified as CVE-2022-44267. The vulnerability was discovered during an APT Simulation engagement by the Ocelot team and was disclosed in February 2023. The issue affects the PNG image parsing functionality in ImageMagick, specifically when performing operations such as image resizing (Metabase Q, NVD).

The vulnerability occurs when ImageMagick parses a PNG file containing a textual chunk type (tEXt). If the keyword in this chunk is set to 'profile' and the text string is set to a single dash '-', ImageMagick will attempt to read content from standard input. This causes the convert process to become stuck waiting for stdin input, effectively creating a denial of service condition. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium), with attack vector: Network, attack complexity: Low, privileges required: None, user interaction: Required, scope: Unchanged, and availability impact: High (Ubuntu, Metabase Q).

When successfully exploited, this vulnerability can cause the ImageMagick convert process to become unresponsive, preventing it from processing other images. This can lead to a denial of service condition, particularly impacting systems that rely on ImageMagick for image processing operations (NVD, Metabase Q).

The vulnerability has been patched in subsequent versions of ImageMagick. Various Linux distributions have released security updates to address this issue, including Debian (version 8:6.9.11.60+dfsg-1.3+deb11u1), Ubuntu, and Fedora. Users are recommended to upgrade their ImageMagick packages to the latest version (Debian Security, Ubuntu).