Access to Confidential Data Possible via Image Conversion (FSC21814)

Last update: 25 November 2020

ID: FSC21814

Affected Components: Fabasoft Cloud Web Services, Fabasoft Folio Web Services

Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, Basic Score: 6,5 (Medium)

Status: Final

First published: 14.05.2020

CVEs: CVE-2018-16323

Summary

Due to the vulnerability CVE-2018-16323 in ImageMagick when converting images and downloading them memory fragments can be leaked via the image data

Impact

By repeated downloading converted images an attacker can read parts of the memory of a Fabasoft Web Service that may contain sensitive information.

Remediation

Hotfix Information

Fixed with following versions of the Fabasoft Cloud or Fabasoft Folio:

  • Fabasoft Cloud Version 2020 June Release (Version 20.3.1)
  • Fabasoft Folio Version 2021 (Version 21.1.0)