SB2017080503 - Multiple vulnerabilities in ImageMagick

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017080503

SB2017080503 - Multiple vulnerabilities in ImageMagick

Published: August 5, 2017 Updated: August 8, 2020

Security Bulletin ID SB2017080503
CSH Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 36% Medium 64%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2017-14139)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteMSLImage in coders/msl.c.


2) Reachable Assertion (CVE-ID: CVE-2017-13658)

CWE-ID: CWE-617 - Reachable Assertion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick before 6.9.9-3 and 7.x before 7.0.6-3, there is a missing NULL check in the ReadMATImage function in coders/mat.c, leading to a denial of service (assertion failure and application exit) in the DestroyImageInfo function in MagickCore/image.c.


3) Input validation error (CVE-ID: CVE-2017-12663)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteMAPImage in coders/map.c.


4) Input validation error (CVE-ID: CVE-2017-12664)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePALMImage in coders/palm.c.


5) Input validation error (CVE-ID: CVE-2017-12665)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePICTImage in coders/pict.c.


6) Input validation error (CVE-ID: CVE-2017-12668)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePCXImage in coders/pcx.c.


7) Input validation error (CVE-ID: CVE-2017-12674)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-2, a CPU exhaustion vulnerability was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service.


8) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2017-12563)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-2, a memory exhaustion vulnerability was found in the function ReadPSDImage in coders/psd.c, which allows attackers to cause a denial of service.


9) Input validation error (CVE-ID: CVE-2017-12564)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service.


10) Input validation error (CVE-ID: CVE-2017-12565)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the function ReadOneJNGImage in coders/png.c, which allows attackers to cause a denial of service.


11) Input validation error (CVE-ID: CVE-2017-12566)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the function ReadMVGImage in coders/mvg.c, which allows attackers to cause a denial of service, related to the function ReadSVGImage in svg.c.


Remediation

Install update from vendor's website.

References