{"id":"CVE-2021-39212","details":"ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. \u003cpolicy domain=\"module\" rights=\"none\" pattern=\"PS\" /\u003e. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: \u003cpolicy domain=\"coder\" rights=\"none\" pattern=\"{PS,EPI,EPS,EPSF,EPSI}\" /\u003e.","modified":"2026-04-11T23:14:38.493576Z","published":"2021-09-13T18:15:23.907Z","related":["GHSA-qvhr-jj4p-j2qr"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/05/msg00020.html"},{"type":"ADVISORY","url":"https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr"},{"type":"FIX","url":"https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68"},{"type":"FIX","url":"https://github.com/ImageMagick/ImageMagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/imagemagick/imagemagick","events":[{"introduced":"b4ca2bed6e55417f439155eaa6a406ff71798116"},{"fixed":"957e47818ef0ae9ce73ade28a649ee7411a736e7"},{"fixed":"01faddbe2711a4156180c4a92837e2f23683cc68"},{"fixed":"35893e7cad78ce461fcaffa56076c11700ba5e4e"}],"database_specific":{"extracted_events":[{"introduced":"7.1.0-0"},{"fixed":"7.1.0-7"}],"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*"}}],"versions":["7.1.0-0","7.1.0-1","7.1.0-2","7.1.0-3","7.1.0-4","7.1.0-5","7.1.0-6"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-39212.json","vanir_signatures":[{"source":"https://github.com/imagemagick/imagemagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68","id":"CVE-2021-39212-04dc5f63","signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"function":"OpenModule","file":"MagickCore/module.c"},"digest":{"function_hash":"12238449736761196515031936875479012387","length":2905}},{"source":"https://github.com/imagemagick/imagemagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68","id":"CVE-2021-39212-0b85e734","signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"function":"RegisterStaticModule","file":"MagickCore/static.c"},"digest":{"function_hash":"67095356107172339824823189294631296075","length":1006}},{"source":"https://github.com/imagemagick/imagemagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e","id":"CVE-2021-39212-15063b98","signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"function":"RegisterStaticModules","file":"MagickCore/static.c"},"digest":{"function_hash":"63184281936401086415764659830330242614","length":340}},{"source":"https://github.com/imagemagick/imagemagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68","id":"CVE-2021-39212-2072cbb5","signature_type":"Line","signature_version":"v1","deprecated":false,"target":{"file":"MagickCore/static.c"},"digest":{"line_hashes":["161464366672841640020134010124046521125","141124472193983977625269801785118258958","108384596060519357535447944241695217562","258487691776336968100862765079916223456","300445242840738940326003630090652496207","128011902388511518635140373616336014026","337347454748691601147186908323491545453","189367590195091707552102665792907139679","155710556456592442496631619759592383630","304332711289379008620794157727308316472","331979865129936986560897612424316949167","34546885671303321050632682220954312100","110838583415941214689987570908988952029","257911632806818842092921089726261664180","111999203320345666450405824794171170173","178779667790122642458319338983813196752","289186773550883895490816465232127853066","53163241543973580188531734443580948703"],"threshold":0.9}},{"source":"https://github.com/imagemagick/imagemagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68","id":"CVE-2021-39212-3d436bd8","signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"function":"RegisterStaticModules","file":"MagickCore/static.c"},"digest":{"function_hash":"320567952468272600299621521938514478978","length":456}},{"source":"https://github.com/imagemagick/imagemagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68","id":"CVE-2021-39212-4a389505","signature_type":"Line","signature_version":"v1","deprecated":false,"target":{"file":"MagickCore/module.c"},"digest":{"line_hashes":["161464366672841640020134010124046521125","141124472193983977625269801785118258958","108384596060519357535447944241695217562","258487691776336968100862765079916223456"],"threshold":0.9}},{"source":"https://github.com/imagemagick/imagemagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e","id":"CVE-2021-39212-8dc9fb9e","signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"function":"RegisterStaticModule","file":"MagickCore/static.c"},"digest":{"function_hash":"3555650037291524282550641662791173921","length":1007}},{"source":"https://github.com/imagemagick/imagemagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e","id":"CVE-2021-39212-e86239b7","signature_type":"Line","signature_version":"v1","deprecated":false,"target":{"file":"MagickCore/static.c"},"digest":{"line_hashes":["245617195997029489383654427104549917156","55780723640404020164828960750440420480","226170224069707727205190332989032059380","131025510662049958977924086546334637515","257911632806818842092921089726261664180","143619803033248316394314000302212847363","31835007959196602870548180955827925933","302653041741808141148766325054036889142"],"threshold":0.9}}],"vanir_signatures_modified":"2026-04-11T23:14:38Z"}},{"ranges":[{"type":"GIT","repo":"https://github.com/imagemagick/imagemagick6","events":[{"introduced":"769536d06c3dc2171aac1ddd36a01edfa16b1977"},{"fixed":"f48b6233e976f56a499a49c55b5f3f26c11451f5"}],"database_specific":{"extracted_events":[{"introduced":"6.9.12-0"},{"fixed":"6.9.12-22"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*"}}],"versions":["6.9.12-0","6.9.12-1","6.9.12-10","6.9.12-11","6.9.12-12","6.9.12-14","6.9.12-15","6.9.12-16","6.9.12-17","6.9.12-18","6.9.12-19","6.9.12-2","6.9.12-20","6.9.12-21","6.9.12-3","6.9.12-4","6.9.12-5","6.9.12-6","6.9.12-7","6.9.12-8","6.9.12-9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-39212.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"}]}