Risk | High |
Patch available | YES |
Number of vulnerabilities | 38 |
CVE-ID | CVE-2019-10649 CVE-2019-11470 CVE-2019-11472 CVE-2019-11597 CVE-2019-11598 CVE-2019-12974 CVE-2019-12975 CVE-2019-12976 CVE-2019-12977 CVE-2019-12978 CVE-2019-12979 CVE-2019-13135 CVE-2019-13137 CVE-2019-13295 CVE-2019-13297 CVE-2019-13300 CVE-2019-13301 CVE-2019-13304 CVE-2019-13305 CVE-2019-13307 CVE-2019-13308 CVE-2019-13309 CVE-2019-13311 CVE-2019-13454 CVE-2019-14981 CVE-2019-15139 CVE-2019-15140 CVE-2019-16708 CVE-2019-16710 CVE-2019-16711 CVE-2019-16713 CVE-2019-19948 CVE-2019-19949 CVE-2019-7175 CVE-2019-7395 CVE-2019-7396 CVE-2019-7397 CVE-2019-7398 |
CWE-ID | CWE-401 CWE-400 CWE-369 CWE-125 CWE-476 CWE-399 CWE-665 CWE-20 CWE-122 CWE-121 CWE-416 |
Exploitation vector | Network |
Public exploit |
Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #24 is available. Public exploit code for vulnerability #26 is available. Public exploit code for vulnerability #32 is available. Public exploit code for vulnerability #33 is available. Public exploit code for vulnerability #35 is available. Public exploit code for vulnerability #36 is available. Public exploit code for vulnerability #37 is available. Public exploit code for vulnerability #38 is available. |
Vulnerable software |
Debian Linux Operating systems & Components / Operating system imagemagick (Debian package) Operating systems & Components / Operating system package or component |
Vendor | Debian |
Security Bulletin
This security bulletin contains information about 38 vulnerabilities.
EUVDB-ID: #VU32028
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-10649
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the function SVGKeyValuePairs of coders/svg.c, which allows an attacker to cause a denial of service via a crafted image file. A remote attacker can perform a denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU19020
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-11470
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a lack of checks for insufficient image data in a file in the "ReadCINImage()" function, as defined in the "coders/cin.c" file. A remote attacker can send a specially crafted Cineon image with an incorrect claimed image size, trick a user into opening it, trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU32024
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11472
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU32023
Risk: High
CVSSv3.1: 7.1 [AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11597
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. A remote attacker can perform a denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU19019
Risk: Medium
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-11598
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to access sensitive information or cause a denial of service (DoS) condition.
The vulnerability exists due to a boundary condition in the "WritePNMImage()" function in the "coders/pnm.c" file. A remote attacker can send a specially crafted image file (related to SetGrayscaleImage in MagickCore/quantize.c.), trick the victim into opening it, trigger out-of-bounds read error, get access to sensitive information or cause a DoS condition on the targeted system.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU35780
Risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12974
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a crafted image.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU35781
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12975
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
ImageMagick 7.0.8-34 has a memory leak vulnerability in the WriteDPXImage function in coders/dpx.c.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU35782
Risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12976
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadPCLImage function in coders/pcl.c. A remote attacker can perform a denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU35783
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12977
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the WriteJP2Image function in coders/jp2.c.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU35784
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12978
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the ReadPANGOImage function in coders/pango.c.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU35785
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12979
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21095
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13135
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use of uninitialized value in the "ReadCUTImage" function in the "coders/cut.c" file. A remote attacker can execute arbitrary command on the target system.
Update imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21097
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13137
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a memory leak in the "ReadPSImage" function in the "coders/ps.c" file. A remote attacker can cause a denial of service condition on the target system.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21063
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13295
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read error in "AdaptiveThresholdImage" in the "MagickCore/threshold.c" file because a width of zero is mishandled. A remote attacker can trick the victim to open a specially crafted file, trigger out-of-bounds read error and crash the application.
Update imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21070
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13297
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in AdaptiveThresholdImage in the "MagickCore/threshold.c" file because a height of zero is mishandled. A remote attacker can perform a denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21073
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13300
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the EvaluateImages in the "MagickCore/statistic.c" file because of mishandling columns. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21069
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13301
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists because of a memory leak in AcquireMagickMemory due to an AnnotateImage error. A remote attacker can perform a denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21076
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13304
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WritePNMImage in the "coders/pnm.c" file because of a misplaced assignment. A remote attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21077
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13305
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WritePNMImage in the coders/pnm.c file because of a misplaced "strncpy" and "an off-by-one" error. A remote attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21079
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13307
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the EvaluateImages in the "MagickCore/statistic.c" file because of mishandling rows. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21080
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13308
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the "MagickCore/fourier.c" in ComplexImage. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21066
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13309
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists because of a memory leak in AcquireMagickMemory due to mishandling the NoSuchImage error in CLIListOperatorImages in the "MagickWand/operation.c" file. A remote attacker can perform a denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21065
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13311
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a memory leak in AcquireMagickMemory due to an error in the "wand/mogrify.c" file. A remote attacker can perform a denial of service attack on the target system.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU19185
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-13454
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause a denial of service (DoS) condition on a system.
The vulnerability exists due to a divide-by-zero condition in the "RemoveDuplicateLayers" function, as defined in the "MagickCore/layer.c" file. A remote attacker can make calls on the targeted system and cause a DoS condition.
Update imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU20299
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-14981
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to division by zero error when processing untrusted input in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file. A remote attacker can perform denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21061
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-15139
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
Description
The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the target system.
The vulnerability exists in "ReadXWDImage" in the "coders/xwd.c" file due to a boundary condition when reading on XWD files. A remote attacker can create a specially crafted XWD image file, trick the victim into opening it, trigger out-of-bounds read error and crash the application.
Update imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU21055
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-15140
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system
The vulnerability exists in "ReadImage" in the "MagickCore/constitute.c" file due to a use-after-free error when the affected software does improper memory operations. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Update imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU31999
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16708
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within magick/xwindow.c, related to XCreateImage. A remote attacker can perform a denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU31997
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16710
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c. A remote attacker can perform a denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU31996
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16711
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within Huffman2DEncodeImage in coders/ps2.c. A remote attacker can perform a denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU31994
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16713
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c. A remote attacker can perform a denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU24029
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-19948
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due insufficient validation of row and column sizes in the "WriteSGIImage" function of coders/sgi.c. A remote attacker can trigger heap-based buffer overflow and cause a denial of service condition on the target system.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU24030
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-19949
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due missing length check prior pointer dereference in the "WritePNGImage" function of coders/png.c, related to Magick_png_write_raw_profile and LocaleNCompare. A remote attacker can cause a denial of service condition on the target system.
Update imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU18390
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-7175
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in the DecodeImage() function in coders/pcd.c. A remote attacker can create a specially crafted image file and perform denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU17706
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7395
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due a memory leak in the WritePSDChannel function, as defined in the coders/psd.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input and perform denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU17704
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7396
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due a memory leak in the ReadSIXELImage function, as defined in the coders/sixel.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input and perform denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU17707
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7397
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due a memory leak in the WritePDFImage function, as defined in the coders/pdf.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input and perform denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU17705
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7398
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due a memory leak in the WriteDIBImage function, as defined in the coders/dib.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input and perform denial of service attack.
MitigationUpdate imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u1.
Vulnerable software versionsDebian Linux: All versions
imagemagick (Debian package): before 8:6.9.10.23+dfsg-2.1+deb10u1
CPE2.3http://www.debian.org/security/2020/dsa-4712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.