Multiple vulnerabilities in ImageMagick
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 18 |
| CVE-ID | CVE-2017-8346 CVE-2017-9144 CVE-2017-9143 CVE-2017-8765 CVE-2017-8357 CVE-2017-8356 CVE-2017-8355 CVE-2017-8354 CVE-2017-8353 CVE-2017-8352 CVE-2017-8351 CVE-2017-8350 CVE-2017-8349 CVE-2017-8348 CVE-2017-8347 CVE-2017-8345 CVE-2017-8344 CVE-2017-8343 |
| CWE-ID | CWE-401 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ImageMagick Client/Desktop applications / Multimedia software |
| Vendor | ImageMagick.org |
Security Bulletin
This security bulletin contains information about 18 vulnerabilities.
1) Memory leak
EUVDB-ID: #VU6615
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8346
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS conditions on the target system.
The weakness exists due to memory leak in ReadDCMImage function in dcm.c when handling malicious files. A remote attacker can send a specially crafted image file, trigger boundary error and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update to version 7.0.5-6.
ImageMagick: 7.0.5-0 - 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/440
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU6839
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9144
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect EOF handling when processing a specially crafted RLE image in coders/rle.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform denial of service attack.
Update to version 7.0.5-6.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/commit/7fdf9ea808caa3c81a0eb42656e5fafc59084198
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Memory leak
EUVDB-ID: #VU6835
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9143
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadARTImage function in coders/art.c. A remote attacker can create a specially crafted .art file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/commit/7b8c1df65b25d6671f113e2306982eded44ce3b4
http://github.com/ImageMagick/ImageMagick/issues/456
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Memory leak
EUVDB-ID: #VU6833
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8765
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The function named ReadICONImage in codersicon.c in ImageMagick 7.0.5-5 has being found susceptible to a memory leak. A remote attacker can create a specially crafted ICON file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/466
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Memory leak
EUVDB-ID: #VU6832
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8357
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadEPTImage function in ept.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/453
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Memory leak
EUVDB-ID: #VU6831
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8356
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadSUNImage function in sun.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/449
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Memory leak
EUVDB-ID: #VU6830
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8355
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/450
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Memory leak
EUVDB-ID: #VU6829
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8354
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadBMPImage function in bmp.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/451
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Memory leak
EUVDB-ID: #VU6828
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8353
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadPICTImage function in pict.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/454
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Memory leak
EUVDB-ID: #VU6827
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8352
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadXWDImage function in xwd.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/452
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Memory leak
EUVDB-ID: #VU6826
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8351
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadPCDImage function in pcd.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/448
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Memory leak
EUVDB-ID: #VU6825
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8350
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadJNGImage function in png.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/447
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Memory leak
EUVDB-ID: #VU6824
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8349
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadSFWImage function in sfw.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/443
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Memory leak
EUVDB-ID: #VU6823
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8348
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadMATImage function in mat.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/445
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Memory leak
EUVDB-ID: #VU6822
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8347
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadEXRImage function in exr.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/441
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Memory leak
EUVDB-ID: #VU6821
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8345
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadMNGImage function in png.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/442
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Memory leak
EUVDB-ID: #VU6820
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8344
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadPCXImage function in pcx.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/446
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Memory leak
EUVDB-ID: #VU6819
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8343
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadAAIImage function in aai.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.5-5
External linkshttp://github.com/ImageMagick/ImageMagick/issues/444
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
