Bastien-Roucaries

**Name of the Vulnerable Software and Affected Versions** ruby-magick (affected versions not specified) **Description** The issue is related to memory leak errors in the ruby-magick interface between Ruby and the ImageMagick library. This can lead to a denial of service (DOS) by memory exhaustion, potentially allowing a remote attacker to cause a service disruption. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ansible (affected versions not specified) **Description** A flaw was found in Ansible in the amazon.aws collection when using the `tower callback` parameter from the `amazon.aws.ec2 instance` module. This issue allows an attacker to take advantage of the insecure handling of the parameter, leading to the password leaking in the logs. **Recommendations** As a temporary workaround, consider disabling the `tower callback` parameter in the `amazon.aws.ec2 instance` module until a patch is available. Restrict access to the `amazon.aws.ec2 instance` module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.0.6-1 **Description** The issue is related to memory leaks in the ReadSCREENSHOTImage function, which can cause denial of service. **Recommendations** For versions prior to 7.0.6-1, update to version 7.0.6-1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.0.6-1 **Description** The issue allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted file. This is due to a problem in the ReadJPEGImage function in coders/jpeg.c. **Recommendations** For versions prior to 7.0.6-1, update to version 7.0.6-1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.0.6-1 **Description** The issue is related to the handling of images in ImageMagick, where the coders/mpc.c file does not enable seekable streams, which prevents the validation of blob sizes. This can be exploited by remote attackers to cause a denial of service, resulting in an application crash, or possibly have other unspecified impacts via an image received from stdin. **Recommendations** For versions prior to 7.0.6-1, update to version 7.0.6-1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.0.6-1 **Description** The issue allows remote attackers to cause a denial of service, potentially leading to an application crash, via JPEG data that is too short. **Recommendations** For versions prior to 7.0.6-1, update to version 7.0.6-1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 6.9.6-4 ImageMagick versions 7.x prior to 7.0.3-6 **Description** A heap overflow issue exists in the WaveletDenoiseImage function, located in MagickCore/fx.c, allowing remote attackers to cause a denial of service by crashing the system via a crafted image. **Recommendations** For ImageMagick versions prior to 6.9.6-4, update to version 6.9.6-4 or later to resolve the issue. For ImageMagick versions 7.x prior to 7.0.3-6, update to version 7.0.3-6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** DOMPurify versions prior to 2.5.0 DOMPurify versions prior to 3.1.3 **Description** The issue is related to insufficient input validation in the DOMPurify JavaScript library, which can lead to a cross-site scripting (XSS) attack. This vulnerability allows a remote attacker to perform a cross-site scripting attack. DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML, and SVG, and it was vulnerable to nesting-based mXSS. **Recommendations** For DOMPurify versions prior to 2.5.0, update to version 2.5.0 or later to fix the vulnerability. For DOMPurify versions prior to 3.1.3, update to version 3.1.3 or later to fix the vulnerability. As a temporary workaround, consider restricting the use of the DOMPurify library until a patch is applied.