Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2019-13391 |
CWE-ID | CWE-125 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software |
imagemagick6 (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU19184
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-13391
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read because of incorrect calls to "GetCacheViewVirtualPixels" in the "ComplexImages" function, as defined in the "MagickCore/fourier.c" file. A remote attacker can make calls on the targeted system and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsimagemagick6 (Alpine package): 6.9.10.39-r0 - 6.9.10.55-r0
CPE2.3http://git.alpinelinux.org/aports/commit/?id=a19f810872972ce57a3fd3bf4ef1f9ec5eac78bc
http://git.alpinelinux.org/aports/commit/?id=530a544685f085941dfc43575144a1aa5090a3e4
http://git.alpinelinux.org/aports/commit/?id=d46d1b3369612e10a726fb1b6658764a7ff08fc9
http://git.alpinelinux.org/aports/commit/?id=6a183d66c7dc3dca62a642c621c62bc6455f8b87
http://git.alpinelinux.org/aports/commit/?id=8a0a53d2ab69a2e8892826f9443e0ad20d53e4df
http://git.alpinelinux.org/aports/commit/?id=3cecfd2d2af53b9be6d7e3af4cc8490b54556a1f
http://git.alpinelinux.org/aports/commit/?id=4f797cc6b00076db68e8bc9f0995e8181659d243
http://git.alpinelinux.org/aports/commit/?id=e2c99a977c70ec025f2ce7b2e89c227d7fed9ed7
http://git.alpinelinux.org/aports/commit/?id=0f7ecd696d28f3be16555aca8525bf57ed8a0669
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.