Multiple vulnerabilities in ImageMagick
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2017-13139 CVE-2017-13142 CVE-2017-11526 CVE-2017-11528 CVE-2017-11529 CVE-2017-11530 |
| CWE-ID | CWE-125 CWE-754 CWE-400 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
ImageMagick Client/Desktop applications / Multimedia software |
| Vendor | ImageMagick.org |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU38433
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-13139
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, the ReadOneMNGImage function in coders/png.c has an out-of-bounds read with the MNG CLIP chunk.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.0-0 - 7.0.6-0
CPE2.3- cpe:2.3:a:imagemagick_org:imagemagick:7.0.0-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-8:*:*:*:*:*:*:*
https://www.securityfocus.com/bid/100494
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870109
https://github.com/ImageMagick/ImageMagick/commit/22e0310345499ffe906c604428f2a3a668942b05
https://security.gentoo.org/glsa/201711-07
https://usn.ubuntu.com/3681-1/
https://www.debian.org/security/2017/dsa-4019
https://www.debian.org/security/2017/dsa-4040
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Check for Unusual or Exceptional Conditions
EUVDB-ID: #VU38436
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-13142
CWE-ID:
CWE-754 - Improper Check for Unusual or Exceptional Conditions
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, a crafted PNG file could trigger a crash because there was an insufficient check for short files.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.0-0 - 7.0.6-0
CPE2.3- cpe:2.3:a:imagemagick_org:imagemagick:7.0.0-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-9:*:*:*:*:*:*:*
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870105
https://github.com/ImageMagick/ImageMagick/commit/46e3aabbf8d59a1bdebdbb65acb9b9e0484577d3
https://github.com/ImageMagick/ImageMagick/commit/aa84944b405acebbeefe871d0f64969b9e9f31ac
https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html
https://security.gentoo.org/glsa/201711-07
https://usn.ubuntu.com/3681-1/
https://www.debian.org/security/2017/dsa-4019
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU38658
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-11526
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The ReadOneMNGImage function in coders/png.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (large loop and CPU consumption) via a crafted file.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.1-0 - 7.0.6-0
CPE2.3- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-9:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-10:*:*:*:*:*:*:*
https://www.securityfocus.com/bid/99932
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867825
https://github.com/ImageMagick/ImageMagick/issues/527
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU38659
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-11528
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The ReadDIBImage function in coders/dib.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory leak) via a crafted file.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.1-0 - 7.0.6-0
CPE2.3- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-9:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.2-0:*:*:*:*:*:*:*
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867811
https://github.com/ImageMagick/ImageMagick/issues/522
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU38660
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-11529
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The ReadMATImage function in coders/mat.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory leak) via a crafted file.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.1-0 - 7.0.6-0
CPE2.3- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-9:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.2-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.2-1:*:*:*:*:*:*:*
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867823
https://github.com/ImageMagick/ImageMagick/issues/525
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Resource exhaustion
EUVDB-ID: #VU38661
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-11530
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The ReadEPTImage function in coders/ept.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory consumption) via a crafted file.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.1-0 - 7.0.6-0
CPE2.3- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-9:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.2-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.2-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.2-2:*:*:*:*:*:*:*
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867821
https://github.com/ImageMagick/ImageMagick/issues/524
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
