CVE-2021-45463
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-45463
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-45463.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-45463
- Downstream
- Related
- Published
- 2021-12-23T06:15:06Z
- Modified
- 2025-10-15T13:30:22.156590Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
load_cache in GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load. NOTE: GEGL releases before 0.4.34 are used in GIMP releases before 2.10.30; however, this does not imply that GIMP builds enable the vulnerable feature.
- References
-
- https://gitlab.gnome.org/GNOME/gegl/-/blob/master/docs/NEWS.adoc
- https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b
- https://gitlab.gnome.org/GNOME/gegl/-/issues/298
- https://gitlab.gnome.org/GNOME/gimp/-/commit/e8a31ba4f2ce7e6bc34882dc27c97fba993f5868
- https://www.gimp.org/news/2021/12/21/gimp-2-10-30-released/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CG635WJCNXHJM5U4BGMAAP4NK2YFTQXK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP5NDNOTMPI335FXE7VUPW7FXYTT7PYN/
Affected packages
Git / github.com/gnome/gimp
Affected ranges
- Type
- GIT
- Repo
- https://github.com/gnome/gimp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://gitlab.gnome.org/GNOME/gegl
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://gitlab.gnome.org/GNOME/gimp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
BASE_ZERO
BEFORE_GIMAGE_IS_FLAT_REMOVAL
BEFORE_MATTS_CRAZY_TOOL_PATCH
BEFORE_TILE_MADNESS
FOR_PANEL
GEGL_0_0_14
GEGL_0_0_16
GEGL_0_0_4
GEGL_0_1_0_REAL
GEGL_0_1_2
GEGL_0_1_4
GEGL_0_1_6
GEGL_0_1_8
GEGL_0_2_0
GEGL_0_3_0
GEGL_0_3_10
GEGL_0_3_12
GEGL_0_3_14
GEGL_0_3_16
GEGL_0_3_18
GEGL_0_3_2
GEGL_0_3_20
GEGL_0_3_22
GEGL_0_3_24
GEGL_0_3_26
GEGL_0_3_28
GEGL_0_3_30
GEGL_0_3_34
GEGL_0_3_4
GEGL_0_3_6
GEGL_0_3_8
GEGL_0_4_0
GEGL_0_4_10
GEGL_0_4_12
GEGL_0_4_14
GEGL_0_4_16
GEGL_0_4_18
GEGL_0_4_2
GEGL_0_4_20
GEGL_0_4_24
GEGL_0_4_26
GEGL_0_4_28
GEGL_0_4_30
GEGL_0_4_32
GEGL_0_4_4
GEGL_0_4_6
GEGL_0_4_8
GEGL_20001120_v002
GEGL_BEFORE_CLEANUP
GIMP_0_99_16
GIMP_0_99_17
GIMP_0_99_18
GIMP_0_99_19
GIMP_0_99_20
GIMP_0_99_21
GIMP_0_99_22
GIMP_0_99_23
GIMP_0_99_24
GIMP_0_99_25
GIMP_0_99_27
GIMP_0_99_28
GIMP_0_99_29
GIMP_19990910
GIMP_1_0_0
GIMP_1_1_0
GIMP_1_1_1
GIMP_1_1_10
GIMP_1_1_11
GIMP_1_1_12
GIMP_1_1_13
GIMP_1_1_14
GIMP_1_1_15
GIMP_1_1_16
GIMP_1_1_17
GIMP_1_1_18
GIMP_1_1_19
GIMP_1_1_2
GIMP_1_1_20
GIMP_1_1_21
GIMP_1_1_22
GIMP_1_1_23
GIMP_1_1_24
GIMP_1_1_25
GIMP_1_1_26
GIMP_1_1_27
GIMP_1_1_28
GIMP_1_1_29
GIMP_1_1_3
GIMP_1_1_30
GIMP_1_1_31
GIMP_1_1_32
GIMP_1_1_4
GIMP_1_1_5
GIMP_1_1_6
GIMP_1_1_7
GIMP_1_1_8
GIMP_1_1_9
GIMP_1_2_0
GIMP_1_3_0
GIMP_1_3_1
GIMP_1_3_10
GIMP_1_3_11
GIMP_1_3_12
GIMP_1_3_13
GIMP_1_3_14
GIMP_1_3_15
GIMP_1_3_16
GIMP_1_3_17
GIMP_1_3_18
GIMP_1_3_19
GIMP_1_3_2
GIMP_1_3_20
GIMP_1_3_21
GIMP_1_3_22
GIMP_1_3_23
GIMP_1_3_24
GIMP_1_3_25
GIMP_1_3_26
GIMP_1_3_27
GIMP_1_3_3
GIMP_1_3_4
GIMP_1_3_5
GIMP_1_3_6
GIMP_1_3_7
GIMP_1_3_8
GIMP_1_3_9
GIMP_2_0_0
GIMP_2_0_1
GIMP_2_0_RC1
GIMP_2_10_0
GIMP_2_10_0_RC1
GIMP_2_10_0_RC2
GIMP_2_10_10
GIMP_2_10_12
GIMP_2_10_14
GIMP_2_10_16
GIMP_2_10_18
GIMP_2_10_2
GIMP_2_10_20
GIMP_2_10_22
GIMP_2_10_24
GIMP_2_10_26
GIMP_2_10_28
GIMP_2_10_4
GIMP_2_10_6
GIMP_2_10_8
GIMP_2_1_0
GIMP_2_1_1
GIMP_2_1_2
GIMP_2_1_3
GIMP_2_1_4
GIMP_2_1_5
GIMP_2_1_6
GIMP_2_1_7
GIMP_2_2_0
GIMP_2_2_1
GIMP_2_2_PRE1
GIMP_2_2_PRE2
GIMP_2_3_0
GIMP_2_3_1
GIMP_2_3_10
GIMP_2_3_11
GIMP_2_3_12
GIMP_2_3_13
GIMP_2_3_14
GIMP_2_3_16
GIMP_2_3_17
GIMP_2_3_18
GIMP_2_3_19
GIMP_2_3_2
GIMP_2_3_3
GIMP_2_3_4
GIMP_2_3_5
GIMP_2_3_6
GIMP_2_3_7
GIMP_2_3_8
GIMP_2_3_9
GIMP_2_4_0_RC1
GIMP_2_4_0_RC2
GIMP_2_4_0_RC3
GIMP_2_4_1
GIMP_2_5_0
GIMP_2_5_1
GIMP_2_5_2
GIMP_2_5_3
GIMP_2_5_4
GIMP_2_6_0
GIMP_2_6_1
GIMP_2_7_0
GIMP_2_7_1
GIMP_2_7_2
GIMP_2_7_3
GIMP_2_7_4
GIMP_2_7_5
GIMP_2_8_0
GIMP_2_8_0_RC1
GIMP_2_99_2
GIMP_2_99_4
GIMP_2_99_6
GIMP_2_99_8
GIMP_2_9_2
GIMP_2_9_4
GIMP_2_9_6
GIMP_2_9_8
GIMP_BEFORE_GTK_2_0
GNOME_2_4_BRANCHPOINT
GNOME_BASE
GNOME_PRINT_0_24
LIBRSVG_2_1_1
LIBRSVG_2_1_2
LIBRSVG_2_1_3
LIBRSVG_2_1_4
LIBRSVG_2_1_5
LIBRSVG_2_2_0
NEEDS_GIMP_2_3_10
PROJECT_SUNLIGHT_ANCHOR
ROSALIA_BEFORE_COMMITTING_DL_AND_GNOME_HELLO
SCRIPT_FU_BEFORE_TINYSCHEME
SCRIPT_FU_MERGE
SNAP_19971121
TINY_FU_0_9_3
TINY_FU_0_9_4
TINY_FU_0_9_5
TINY_FU_0_9_6
TINY_FU_0_9_7
TINY_FU_0_9_8
TINY_FU_1_0_0
TINY_FU_1_0_1
TINY_FU_1_0_RC1
TINY_FU_1_1_0
gimp
release-2-2-4
release-2-2-5
release-2-3-0
release-2-4-0
soc-2012-unified-transform-after-gsoc
soc-2012-unified-transform-before-gsoc
Database specific
{
"vanir_signatures": [
{
"signature_type": "Line",
"target": {
"file": "operations/common/magick-load.c"
},
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"204656693516598797247944687334630417858",
"205331999004398618638246065926072621471",
"228401211117260601025838507140243530877",
"128084200600833044840767920327319656820",
"229353021992037806657788438028261732048",
"277025921432043170450961430521714974645",
"212021369364349033691515206338755461274",
"42701105836285997329738907707896860258",
"95804032509790756066560248792450264421",
"150580133441633138264085914028941774675",
"129882534599325522544587683728747787904",
"229691599292752779220264139035702382086",
"243679414377773392827599810021157269145",
"187515048314288443767184081863520467544",
"140017922328239657363293799199866067736"
]
},
"deprecated": false,
"source": "https://gitlab.gnome.org/GNOME/gegl@bfce470f0f2f37968862129d5038b35429f2909b",
"id": "CVE-2021-45463-545bf2e7"
},
{
"signature_type": "Function",
"target": {
"file": "plug-ins/common/file-gegl.c",
"function": "goat_load"
},
"signature_version": "v1",
"digest": {
"length": 406.0,
"function_hash": "232567990407567124372225211955018739781"
},
"deprecated": false,
"source": "https://gitlab.gnome.org/GNOME/gimp@e8a31ba4f2ce7e6bc34882dc27c97fba993f5868",
"id": "CVE-2021-45463-5ae9f593"
},
{
"signature_type": "Function",
"target": {
"file": "plug-ins/common/file-gegl.c",
"function": "goat_save"
},
"signature_version": "v1",
"digest": {
"length": 1095.0,
"function_hash": "325602421300498487202634313381657981326"
},
"deprecated": false,
"source": "https://gitlab.gnome.org/GNOME/gimp@e8a31ba4f2ce7e6bc34882dc27c97fba993f5868",
"id": "CVE-2021-45463-64911cc2"
},
{
"signature_type": "Function",
"target": {
"file": "plug-ins/common/file-gegl.c",
"function": "load_image"
},
"signature_version": "v1",
"digest": {
"length": 2677.0,
"function_hash": "220066541736347867209311728067584543521"
},
"deprecated": false,
"source": "https://gitlab.gnome.org/GNOME/gimp@e8a31ba4f2ce7e6bc34882dc27c97fba993f5868",
"id": "CVE-2021-45463-a763ccce"
},
{
"signature_type": "Line",
"target": {
"file": "plug-ins/common/file-gegl.c"
},
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"272355342410279859200826449940732078216",
"324400641763123594579210667561706815373",
"235505275591528674691157382777669610340",
"215824229624990727436204877334804017392",
"181589116391935387571594862115903002932",
"279465298659772877855523181035851941811",
"334341149011514124079492006720996730189",
"317030243397957380348600845567091220239",
"54424063384633919811258116659936780285",
"92998827775754452642798917802355732074",
"194932751598075961106514575301898891341",
"318786257860524084384494445960337263874",
"289138753077097370229557165962101892854",
"24863878829336642332148864407896463737",
"335864620174623435181102889705911347865",
"212599900754437769694055468349206947140",
"318117430156887949656114466621380106341",
"81360032140243083960943025747048761786",
"157418235021329835352358433129639248562",
"321310820852474849479991814631385176602",
"115012443917198528407241006097493931500",
"47173065112754956769934608677630296064",
"59420160105179762507729431794242463734",
"288493376445613227417009495093694473638",
"214088543806392939212070825383719589400",
"33689843734907134598701751413783625246",
"220342008517660425405062078147346592113",
"144395637085529591303603678045860380667",
"29947780552631738547556174106330106120",
"262703065364262072953933543703953177562",
"271736429866693375991702996492175954928",
"4807296305166374992204834111740800583",
"99467678680880245147391170983675341849",
"57431013448229491917792384876134377358",
"6530549309846771520116362263691968041",
"116054503070981095299400209565211261503",
"38354132420779939999267953934731745871",
"158883592015470921037188804759709653265",
"265108779084176093252823803114582457551",
"277476885363283269475407040529590529150",
"109175038096058314839869500804619486794",
"187264887567532893245228710209294774963",
"232448609230946971671442622550773520556",
"153721642834316080960014703264218891922",
"175373228955969771784033446084672707265",
"163452849989639564698913566641238463334",
"172709241644344740961671989268748148711",
"328759954698707742257083527056416596916",
"136446029032000232400191303087623791045",
"108067668611992499637184986294257872038",
"258816244616607520829607895406153354415",
"214364533003955601603654637650747066583",
"316174101673895719567079115638092316751",
"67819920075577049609648579443451550455",
"316212450106252100294399902419568501658",
"324967466155000942719537488793828467078",
"266007541595927864595621828431183211916",
"336016390179506323133132871787641020029",
"187807664928611604160508634214980051427",
"318057149261586649519745373904696255765",
"250716165746099866005971001251423461849"
]
},
"deprecated": false,
"source": "https://gitlab.gnome.org/GNOME/gimp@e8a31ba4f2ce7e6bc34882dc27c97fba993f5868",
"id": "CVE-2021-45463-bc9db6c2"
},
{
"signature_type": "Function",
"target": {
"file": "operations/common/magick-load.c",
"function": "load_cache"
},
"signature_version": "v1",
"digest": {
"length": 710.0,
"function_hash": "280631963024744360037893231292509707580"
},
"deprecated": false,
"source": "https://gitlab.gnome.org/GNOME/gegl@bfce470f0f2f37968862129d5038b35429f2909b",
"id": "CVE-2021-45463-c5a1f042"
},
{
"signature_type": "Function",
"target": {
"file": "plug-ins/common/file-gegl.c",
"function": "save_image"
},
"signature_version": "v1",
"digest": {
"length": 490.0,
"function_hash": "183386392641819766480614366880294978864"
},
"deprecated": false,
"source": "https://gitlab.gnome.org/GNOME/gimp@e8a31ba4f2ce7e6bc34882dc27c97fba993f5868",
"id": "CVE-2021-45463-fe289a83"
}
]
}