{"id":"CVE-2024-41817","summary":"Arbitrary Code Execution in `AppImage` version `ImageMagick`","details":"ImageMagick is a free and open-source software suite, used for editing and manipulating digital images. The `AppImage` version `ImageMagick` might use an empty path when setting `MAGICK_CONFIGURE_PATH` and `LD_LIBRARY_PATH` environment variables while executing, which might lead to arbitrary code execution by loading malicious configuration files or shared libraries in the current working directory while executing `ImageMagick`. The vulnerability is fixed in 7.11-36.","aliases":["GHSA-8rxc-922v-phg8"],"modified":"2026-04-02T12:17:47.555422Z","published":"2024-07-29T15:53:17.236Z","related":["CGA-4wh7-f8p9-ppwg"],"database_specific":{"cwe_ids":["CWE-427"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41817.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/ImageMagick/ImageMagick/blob/3b22378a23d59d7517c43b65b1822f023df357a0/app-image/AppRun#L11-L14"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41817.json"},{"type":"ADVISORY","url":"https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8rxc-922v-phg8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41817"},{"type":"FIX","url":"https://github.com/ImageMagick/ImageMagick/commit/6526a2b28510ead6a3e14de711bb991ad9abff38"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/imagemagick/imagemagick","events":[{"introduced":"ff8625597609915321b8f59016da22546da1a13b"},{"fixed":"852a4e91b1cdb0c055a27dae956f130941e66ac0"},{"fixed":"6526a2b28510ead6a3e14de711bb991ad9abff38"}],"database_specific":{"versions":[{"introduced":"7.0.11-13"},{"fixed":"7.1.1-36"}]}}],"versions":["7.0.11-13","7.0.11-14","7.1.0-0","7.1.0-1","7.1.0-10","7.1.0-11","7.1.0-12","7.1.0-13","7.1.0-14","7.1.0-15","7.1.0-16","7.1.0-17","7.1.0-18","7.1.0-19","7.1.0-2","7.1.0-20","7.1.0-21","7.1.0-22","7.1.0-23","7.1.0-24","7.1.0-25","7.1.0-26","7.1.0-27","7.1.0-28","7.1.0-29","7.1.0-3","7.1.0-30","7.1.0-31","7.1.0-32","7.1.0-33","7.1.0-34","7.1.0-35","7.1.0-36","7.1.0-37","7.1.0-38","7.1.0-39","7.1.0-4","7.1.0-40","7.1.0-41","7.1.0-42","7.1.0-43","7.1.0-44","7.1.0-45","7.1.0-46","7.1.0-47","7.1.0-48","7.1.0-49","7.1.0-5","7.1.0-50","7.1.0-51","7.1.0-52","7.1.0-53","7.1.0-54","7.1.0-55","7.1.0-56","7.1.0-57","7.1.0-58","7.1.0-59","7.1.0-6","7.1.0-60","7.1.0-61","7.1.0-62","7.1.0-7","7.1.0-8","7.1.0-9","7.1.1-0","7.1.1-1","7.1.1-10","7.1.1-11","7.1.1-12","7.1.1-13","7.1.1-14","7.1.1-15","7.1.1-16","7.1.1-17","7.1.1-18","7.1.1-19","7.1.1-2","7.1.1-20","7.1.1-21","7.1.1-22","7.1.1-23","7.1.1-24","7.1.1-25","7.1.1-26","7.1.1-27","7.1.1-28","7.1.1-29","7.1.1-3","7.1.1-30","7.1.1-31","7.1.1-32","7.1.1-33","7.1.1-34","7.1.1-35","7.1.1-4","7.1.1-5","7.1.1-6","7.1.1-7","7.1.1-8","7.1.1-9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41817.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}