Risk | Low |
Patch available | YES |
Number of vulnerabilities | 10 |
CVE-ID | CVE-2017-1000476 CVE-2017-10928 CVE-2017-11450 CVE-2017-14325 CVE-2017-17887 CVE-2017-18250 CVE-2017-18251 CVE-2017-18252 CVE-2017-18254 CVE-2017-18271 |
CWE-ID | CWE-400 CWE-126 CWE-20 CWE-119 CWE-401 CWE-476 CWE-835 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
ImageMagick Client/Desktop applications / Multimedia software |
Vendor | ImageMagick.org |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
EUVDB-ID: #VU12632
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-1000476
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the function ReadDDSInfo in coders/dds.c due to CPU exhaustion. A remote attacker can cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.7-12 Q16
External linkshttp://github.com/ImageMagick/ImageMagick/issues/867
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU12633
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-10928
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in the GetNextToken function in token.c due to heap-based buffer over-read. A remote attacker can trick the victim into opening a specially crafted SVG document and gain access to potentially sensitive information.
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.6-0
External linkshttp://github.com/ImageMagick/ImageMagick/issues/539
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU12635
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-11450
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to improper input validation. A remote attacker can cause the service to crash via JPEG data that is too short.
Update to version 7.0.6-1.
Vulnerable software versionsImageMagick: 7.0.6-0
External linkshttp://github.com/ImageMagick/ImageMagick/issues/556
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU12636
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-14325
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the function PersistPixelCache in magick/cache.c due to memory leak. A remote attacker can trick the victim into opening a specially crafted file, trigger memory consumption and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.7-1 Q16
External linkshttp://github.com/ImageMagick/ImageMagick/issues/741
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU12637
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-17887
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the function GetImagePixelCache in magick/cache.c due to memory leak. A remote attacker can trick the victim into opening a specially crafted MNG image file that is processed by ReadOneMNGImage and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.7-16 Q16
External linkshttp://github.com/ImageMagick/ImageMagick/issues/903
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU12638
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-18250
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the function LogOpenCLBuildFailure in MagickCore/opencl.c due to NULL pointer dereference. A remote attacker can trick the victim into opening a specially crafted file and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.7-0
External linkshttp://github.com/ImageMagick/ImageMagick/issues/793
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU12639
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-18251
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the function ReadPCDImage in coders/pcd.c due to memory leak. A remote attacker can trick the victim into opening a specially crafted file and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.7-0
External linkshttp://github.com/ImageMagick/ImageMagick/issues/809
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU12640
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-18252
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the MogrifyImageList function in MagickWand/mogrify.c due to assertion failure. A remote attacker can trick the victim into opening a specially crafted file and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.7-0
External linkshttp://github.com/ImageMagick/ImageMagick/issues/802
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU12641
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-18254
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the function WriteGIFImage in coders/gif.c due to memory leak. A remote attacker can trick the victim into opening a specially crafted file and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.7-0
External linkshttp://github.com/ImageMagick/ImageMagick/issues/808
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU13039
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-18271
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to infinite loop in the function ReadMIFFImage in coders/miff.c. A remote attacker can submit a specially crafted MIFF image file, trigger CPU exhaustion and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 7.0.7-16
External linkshttp://github.com/ImageMagick/ImageMagick/issues/911
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.