Access to Confidential Data Possible via Image Conversion (FSC21814)
ID: FSC21814
Affected Components: Fabasoft Cloud Web Services, Fabasoft Folio Web Services
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, Basic Score: 6,5 (Medium)
Status: Final
First published: 14.05.2020
CVEs: CVE-2018-16323
Summary
Due to the vulnerability CVE-2018-16323 in ImageMagick when converting images and downloading them memory fragments can be leaked via the image data
Impact
By repeated downloading converted images an attacker can read parts of the memory of a Fabasoft Web Service that may contain sensitive information.
Remediation
Hotfix Information
Fixed with following versions of the Fabasoft Cloud or Fabasoft Folio:
- Fabasoft Cloud Version 2020 June Release (Version 20.3.1)
- Fabasoft Folio Version 2021 (Version 21.1.0)