CVE-2023-34153: 
ImageMagick vulnerability analysis and mitigation

A shell command injection vulnerability (CVE-2023-34153) was discovered in ImageMagick, affecting versions up to 7.1.1.11. The vulnerability exists in the VIDEO encoding/decoding functionality, specifically through the video:vsync and video:pixel-format options. This security flaw was identified on May 17, 2023, and publicly disclosed on May 30, 2023 (NVD, GitHub Issue).

The vulnerability stems from improper input sanitization in the ExternalDelegateCommand function. While the command string is sanitized with SanitizeString and scanned for illegal characters, the illegal character set only contains '&;<>|' and not quotation marks. This oversight allows for command injection through the video:vsync and video:pixel-format options. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could allow an attacker to execute arbitrary shell commands through specially crafted video:vsync or video:pixel-format options during VIDEO encoding/decoding operations. This could lead to unauthorized command execution with the privileges of the ImageMagick process (GitHub Issue).

The vulnerability has been fixed in ImageMagick version 7.1.1.11. Users are advised to upgrade to this version or later. Various Linux distributions have also released security updates to address this vulnerability, including Fedora 37 and 38 (Fedora 37 Update, Fedora 38 Update).