CVE-2022-44268: 
JavaScript vulnerability analysis and mitigation

ImageMagick version 7.1.0-49 was found to contain an Information Disclosure vulnerability identified as CVE-2022-44268. When processing PNG images, particularly during resize operations, the software could potentially embed the content of arbitrary files into the resulting image, provided the ImageMagick binary had permission to read those files. This vulnerability was discovered in late 2022 and publicly disclosed in early 2023 (Metabase Q, NVD).

The vulnerability exists in ImageMagick's PNG processing functionality. When parsing a PNG file with a textual chunk type (tEXt), if the keyword is set to 'profile', ImageMagick interprets the text string as a filename and loads its content as a raw profile. The content is then embedded into the processed image through the SetImageProfile function. This occurs during common image operations such as resize. The vulnerability stems from insufficient validation of the profile data source, allowing arbitrary file contents to be embedded in the resulting image (Metabase Q).

The vulnerability allows attackers to read arbitrary files from the system where ImageMagick is running, provided the ImageMagick binary has read permissions for those files. This could lead to exposure of sensitive information such as configuration files, credentials, or other confidential data stored on the system (Red Hat, Debian).

The vulnerability has been patched in subsequent versions of ImageMagick. Various Linux distributions have released security updates to address this issue, including Debian (version 8:6.9.11.60+dfsg-1.3+deb11u1) and Fedora (version 6.9.12.77-1). Users are strongly recommended to upgrade their ImageMagick installations to the latest version (Debian, Fedora).