Multiple vulnerabilities in ImageMagick
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 11 |
| CVE-ID | CVE-2017-14139 CVE-2017-13658 CVE-2017-12663 CVE-2017-12664 CVE-2017-12665 CVE-2017-12668 CVE-2017-12674 CVE-2017-12563 CVE-2017-12564 CVE-2017-12565 CVE-2017-12566 |
| CWE-ID | CWE-20 CWE-617 CWE-770 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
ImageMagick Client/Desktop applications / Multimedia software |
| Vendor | ImageMagick.org |
Security Bulletin
This security bulletin contains information about 11 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU38361
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-14139
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteMSLImage in coders/msl.c.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.6-2
CPE2.3 External linkshttps://github.com/ImageMagick/ImageMagick/issues/578
https://security.gentoo.org/glsa/201711-07
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Reachable Assertion
EUVDB-ID: #VU38429
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-13658
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
In ImageMagick before 6.9.9-3 and 7.x before 7.0.6-3, there is a missing NULL check in the ReadMATImage function in coders/mat.c, leading to a denial of service (assertion failure and application exit) in the DestroyImageInfo function in MagickCore/image.c.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.1-0 - 7.0.6-2
CPE2.3- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-2:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-7:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-8:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-9:*:*:*:*:*:*:*
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870019
https://github.com/ImageMagick/ImageMagick/commit/e5c063a1007506ba69e97a35effcdef944421c89
https://github.com/ImageMagick/ImageMagick/issues/598
https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU38561
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-12663
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteMAPImage in coders/map.c.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.6-2
CPE2.3 External linkshttps://github.com/ImageMagick/ImageMagick/commit/6233ef75bb973745ab1092b59aea8fe316f09074
https://github.com/ImageMagick/ImageMagick/issues/573
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU38562
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-12664
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePALMImage in coders/palm.c.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.6-2
CPE2.3 External linkshttps://github.com/ImageMagick/ImageMagick/commit/db1ffb6cf44bcfe5c4d5fcf9d9109ded5617387f
https://github.com/ImageMagick/ImageMagick/issues/574
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU38563
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-12665
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePICTImage in coders/pict.c.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.6-2
CPE2.3 External linkshttps://github.com/ImageMagick/ImageMagick/commit/859084b4fd966ac007965c3d85caabccd8aee9b4
https://github.com/ImageMagick/ImageMagick/issues/577
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU38565
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-12668
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePCXImage in coders/pcx.c.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.6-2
CPE2.3 External linkshttps://github.com/ImageMagick/ImageMagick/commit/560e6e512961008938aa1d1b9aab06347b1c8f9b
https://github.com/ImageMagick/ImageMagick/issues/575
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU38570
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-12674
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
In ImageMagick 7.0.6-2, a CPU exhaustion vulnerability was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.6-2
CPE2.3 External linkshttps://github.com/ImageMagick/ImageMagick/issues/604
https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html
https://usn.ubuntu.com/3681-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU38592
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-12563
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
In ImageMagick 7.0.6-2, a memory exhaustion vulnerability was found in the function ReadPSDImage in coders/psd.c, which allows attackers to cause a denial of service.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.6-2
CPE2.3 External linkshttps://www.securityfocus.com/bid/100153
https://github.com/ImageMagick/ImageMagick/issues/599
https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html
https://usn.ubuntu.com/3681-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU38593
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-12564
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.6-2
CPE2.3 External linkshttps://www.securityfocus.com/bid/100161
https://github.com/ImageMagick/ImageMagick/issues/601
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Input validation error
EUVDB-ID: #VU38594
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-12565
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the function ReadOneJNGImage in coders/png.c, which allows attackers to cause a denial of service.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.6-2
CPE2.3 External linkshttps://www.securityfocus.com/bid/100156
https://github.com/ImageMagick/ImageMagick/issues/602
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Input validation error
EUVDB-ID: #VU38595
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-12566
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the function ReadMVGImage in coders/mvg.c, which allows attackers to cause a denial of service, related to the function ReadSVGImage in svg.c.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.6-2
CPE2.3 External linkshttps://github.com/ImageMagick/ImageMagick/issues/603
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
