Amazon Linux AMI update for ImageMagick



Published: 2024-03-19
Risk High
Patch available YES
Number of vulnerabilities 75
CVE-ID CVE-2016-5841
CVE-2017-1000476
CVE-2017-11166
CVE-2017-12805
CVE-2017-12806
CVE-2017-13139
CVE-2017-18251
CVE-2017-18252
CVE-2017-18254
CVE-2017-18271
CVE-2017-18273
CVE-2018-10177
CVE-2018-10804
CVE-2018-10805
CVE-2018-11656
CVE-2018-12599
CVE-2018-12600
CVE-2018-13153
CVE-2018-14434
CVE-2018-14435
CVE-2018-14436
CVE-2018-14437
CVE-2018-15607
CVE-2018-16328
CVE-2018-16749
CVE-2018-16750
CVE-2018-18544
CVE-2018-20467
CVE-2018-8804
CVE-2018-9133
CVE-2019-10131
CVE-2019-10650
CVE-2019-11470
CVE-2019-11472
CVE-2019-11597
CVE-2019-11598
CVE-2019-12974
CVE-2019-12975
CVE-2019-12976
CVE-2019-12978
CVE-2019-12979
CVE-2019-13133
CVE-2019-13134
CVE-2019-13135
CVE-2019-13295
CVE-2019-13297
CVE-2019-13300
CVE-2019-13301
CVE-2019-13304
CVE-2019-13305
CVE-2019-13306
CVE-2019-13307
CVE-2019-13309
CVE-2019-13310
CVE-2019-13311
CVE-2019-13454
CVE-2019-14980
CVE-2019-14981
CVE-2019-15139
CVE-2019-15140
CVE-2019-15141
CVE-2019-16708
CVE-2019-16709
CVE-2019-16710
CVE-2019-16711
CVE-2019-16712
CVE-2019-16713
CVE-2019-17540
CVE-2019-17541
CVE-2019-19948
CVE-2019-19949
CVE-2019-7175
CVE-2019-7397
CVE-2019-7398
CVE-2019-9956
CWE-ID CWE-190
CWE-400
CWE-20
CWE-125
CWE-401
CWE-835
CWE-787
CWE-476
CWE-119
CWE-617
CWE-415
CWE-399
CWE-193
CWE-369
CWE-665
CWE-122
CWE-121
CWE-416
Exploitation vector Network
Public exploit Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #20 is available.
Public exploit code for vulnerability #27 is available.
Public exploit code for vulnerability #28 is available.
Public exploit code for vulnerability #33 is available.
Public exploit code for vulnerability #36 is available.
Public exploit code for vulnerability #56 is available.
Public exploit code for vulnerability #59 is available.
Public exploit code for vulnerability #70 is available.
Public exploit code for vulnerability #71 is available.
Public exploit code for vulnerability #73 is available.
Public exploit code for vulnerability #74 is available.
Vulnerable software
Subscribe
Amazon Linux AMI
Operating systems & Components / Operating system

ImageMagick
Operating systems & Components / Operating system package or component

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains information about 75 vulnerabilities.

1) Integer overflow

EUVDB-ID: #VU32210

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-5841

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of service (segmentation fault) or possibly execute arbitrary code via vectors involving the offset variable.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Resource exhaustion

EUVDB-ID: #VU12632

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-1000476

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the function ReadDDSInfo in coders/dds.c due to CPU exhaustion. A remote attacker can cause the service to crash.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU38717

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-11166

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The ReadXWDImage function in codersxwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Resource exhaustion

EUVDB-ID: #VU19188

Risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-12805

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a memory consumption condition in the "ReadTIFFImage()" function. A remote attacker can send a specially crafted file to the targeted system, trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Resource exhaustion

EUVDB-ID: #VU19048

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-12806

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory exhaustion when processing images within the format8BIM() function. A remote attacker can create a specially crafted image, pass it to the affected application and consume all available memory on the system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Out-of-bounds read

EUVDB-ID: #VU38433

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-13139

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, the ReadOneMNGImage function in coders/png.c has an out-of-bounds read with the MNG CLIP chunk.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Memory leak

EUVDB-ID: #VU12639

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18251

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the function ReadPCDImage in coders/pcd.c due to memory leak. A remote attacker can trick the victim into opening a specially crafted file and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Improper input validation

EUVDB-ID: #VU12640

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18252

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the MogrifyImageList function in MagickWand/mogrify.c due to assertion failure. A remote attacker can trick the victim into opening a specially crafted file and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Memory leak

EUVDB-ID: #VU12641

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18254

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the function WriteGIFImage in coders/gif.c due to memory leak. A remote attacker can trick the victim into opening a specially crafted file and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Infinite loop

EUVDB-ID: #VU13039

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18271

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to infinite loop in the function ReadMIFFImage in coders/miff.c. A remote attacker can submit a specially crafted MIFF image file, trigger CPU exhaustion and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Infinite loop

EUVDB-ID: #VU46331

Risk: Medium

CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18273

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop within the ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call. A remote attacker can consume all available system resources and trigger denial of service condition.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Infinite loop

EUVDB-ID: #VU12642

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-10177

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the ReadOneMNGImage function of the coders/png.c file due to infinite loop. A remote attacker can trick the victim into opening a specially crafted mng file and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Memory leak

EUVDB-ID: #VU13579

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-10804

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within WriteTIFFImage in coders/tiff.c. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Memory leak

EUVDB-ID: #VU13580

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-10805

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ReadYCBCRImage in coders/ycbcr.c. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Memory leak

EUVDB-ID: #VU79926

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-11656

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the ReadDCMImage() function in coders/dcm.c. A remote attacker can perform a denial of service attack via a a crafted DCM image file.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Out-of-bounds write

EUVDB-ID: #VU13872

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-12599

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in ReadBMPImage and WriteBMPImage in coders/bmp.c due to out-of-bounds write. A remote unauthenticated attacker can trick the victim into opening a specially crafted file and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Out-of-bounds write

EUVDB-ID: #VU13873

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-12600

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in ReadDIBImage and WriteDIBImage in coders/dib. due to out-of-bounds write. A remote unauthenticated attacker can trick the victim into opening a specially crafted file and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Memory leak

EUVDB-ID: #VU13584

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-13153

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the XMagickCommand function in MagickCore/animate.c. A remote attacker can trick the victim into opening a specially crafted image file, consume excessive memory and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Input validation error

EUVDB-ID: #VU33729

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-14434

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Memory leak

EUVDB-ID: #VU14465

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-14435

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to memory leak in DecodeImage in coders/pcd.c. A remote attacker can trick the victim into opening a specially crafted input, trigger memory corruption and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

21) Memory leak

EUVDB-ID: #VU33480

Risk: Medium

CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-14436

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ReadMIFFImage in coders/miff.c. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Memory leak

EUVDB-ID: #VU33481

Risk: Medium

CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-14437

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within parse8BIM in coders/meta.c. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Resource exhaustion

EUVDB-ID: #VU33483

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-15607

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Null pointer dereference

EUVDB-ID: #VU14609

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-16328

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in the CheckEventLogging function of ImageMagick due to boundary error when processing malicious input. A remote attacker can trick the victim into accessing an image file that submits malicious input, trigger a NULL pointer dereference condition in the CheckEventLogging function, as defined in the MagickCore/log.c source code file and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Reachable Assertion

EUVDB-ID: #VU14739

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-16749

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a missing NULL check in ReadOneJNGImage() function in coders/png.c. A remote attacker can trigger an assertion failure with a specially crafted image file and crash the vulnerable application.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Memory leak

EUVDB-ID: #VU14738

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-16750

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the formatIPTCfromBuffer() function in coders/meta.c. A remote attacker can perform a denial of service attack via a specially crafted image file.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Memory leak

EUVDB-ID: #VU15461

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-18544

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to memory leak in the WriteMSLImage function, as defined in the coders/msl.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input, trigger memory leak and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

28) Infinite loop

EUVDB-ID: #VU16711

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-20467

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in coders/bmp.c. A remote attacker can trick the victim into opening a specially crafted file, consume all available system resources and cause denial of service conditions.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

29) Double free error

EUVDB-ID: #VU11817

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-8804

CWE-ID: CWE-415 - Double Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in WriteEPTImage in coders/ept.c due to double free error. A remote attacker can trick the victim into opening a specially crafted file and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Resource management error

EUVDB-ID: #VU13583

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9133

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due resource management error in the DecodeLabImage and EncodeLabImage functions in coders/tiff.c file. A remote attacker can perform a denial of service attack via a crafted tiff file.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Off-by-one

EUVDB-ID: #VU18573

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-10131

CWE-ID: CWE-193 - Off-by-one Error

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to an off-by-one read error in the formatIPTCfromBuffer function in coders/meta.c. A remote attacker can pass specially crafted image file the to affected application, trigger an off-by-one read error and perform denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Out-of-bounds read

EUVDB-ID: #VU18389

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-10650

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer over-read in the WriteTIFFImage() function in coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Resource exhaustion

EUVDB-ID: #VU19020

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-11470

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a lack of checks for insufficient image data in a file in the "ReadCINImage()" function, as defined in the "coders/cin.c" file. A remote attacker can send a specially crafted Cineon image with an incorrect claimed image size, trick a user into opening it, trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

34) Division by zero

EUVDB-ID: #VU32024

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11472

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Out-of-bounds read

EUVDB-ID: #VU32023

Risk: High

CVSSv3.1: 7.1 [AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11597

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Out-of-bounds read

EUVDB-ID: #VU19019

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-11598

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to access sensitive information or cause a denial of service (DoS) condition.

The vulnerability exists due to a boundary condition in the "WritePNMImage()" function in the "coders/pnm.c" file. A remote attacker can send a specially crafted image file (related to SetGrayscaleImage in MagickCore/quantize.c.), trick the victim into opening it, trigger out-of-bounds read error, get access to sensitive information or cause a DoS condition on the targeted system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

37) NULL pointer dereference

EUVDB-ID: #VU35780

Risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12974

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a crafted image.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Resource management error

EUVDB-ID: #VU35781

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12975

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

ImageMagick 7.0.8-34 has a memory leak vulnerability in the WriteDPXImage function in coders/dpx.c.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Memory leak

EUVDB-ID: #VU35782

Risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12976

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the ReadPCLImage function in coders/pcl.c. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Improper Initialization

EUVDB-ID: #VU35784

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12978

CWE-ID: CWE-665 - Improper Initialization

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the ReadPANGOImage function in coders/pango.c.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

41) Improper Initialization

EUVDB-ID: #VU35785

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12979

CWE-ID: CWE-665 - Improper Initialization

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

42) Resource management error

EUVDB-ID: #VU21068

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13133

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a memory leak in the "ReadBMPImage" function in the "coders/bmp.c" file. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Resource management error

EUVDB-ID: #VU21094

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13134

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a memory leak in the "ReadVIFFImage" function in the "coders/viff.c" file. A remote attacker can cause a denial of service condition on the target system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

44) Input validation error

EUVDB-ID: #VU21095

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13135

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use of uninitialized value in the "ReadCUTImage" function in the "coders/cut.c" file. A remote attacker can execute arbitrary command on the target system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

45) Out-of-bounds read

EUVDB-ID: #VU21063

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13295

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer over-read error in "AdaptiveThresholdImage" in the "MagickCore/threshold.c" file because a width of zero is mishandled. A remote attacker can trick the victim to open a specially crafted file, trigger out-of-bounds read error and crash the application.


Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

46) Out-of-bounds read

EUVDB-ID: #VU21070

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13297

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer over-read in AdaptiveThresholdImage in the "MagickCore/threshold.c" file because a height of zero is mishandled. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

47) Heap-based buffer overflow

EUVDB-ID: #VU21073

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13300

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the EvaluateImages in the "MagickCore/statistic.c" file because of mishandling columns. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

48) Resource management error

EUVDB-ID: #VU21069

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13301

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists because of a memory leak in AcquireMagickMemory due to an AnnotateImage error. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

49) Stack-based buffer overflow

EUVDB-ID: #VU21076

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13304

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in WritePNMImage in the "coders/pnm.c" file because of a misplaced assignment. A remote attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

50) Stack-based buffer overflow

EUVDB-ID: #VU21077

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13305

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in WritePNMImage in the coders/pnm.c file because of a misplaced "strncpy" and "an off-by-one" error. A remote attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

51) Stack-based buffer overflow

EUVDB-ID: #VU21078

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13306

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in WritePNMImage in the "coders/pnm.c" file because of "off-by-one" errors. A remote attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

52) Heap-based buffer overflow

EUVDB-ID: #VU21079

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13307

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the EvaluateImages in the "MagickCore/statistic.c" file because of mishandling rows. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

53) Resource management error

EUVDB-ID: #VU21066

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13309

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists because of a memory leak in AcquireMagickMemory due to mishandling the NoSuchImage error in CLIListOperatorImages in the "MagickWand/operation.c" file. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

54) Resource management error

EUVDB-ID: #VU21067

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13310

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists because of a memory leak in AcquireMagickMemory due to an error in "MagickWand/mogrify.c" file. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

55) Resource management error

EUVDB-ID: #VU21065

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13311

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a memory leak in AcquireMagickMemory due to an error in the "wand/mogrify.c" file. A remote attacker can perform a denial of service attack on the target system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

56) Division by zero

EUVDB-ID: #VU19185

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-13454

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on a system.

The vulnerability exists due to a divide-by-zero condition in the "RemoveDuplicateLayers" function, as defined in the "MagickCore/layer.c" file. A remote attacker can make calls on the targeted system and cause a DoS condition.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

57) Use-after-free

EUVDB-ID: #VU20300

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-14980

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the UnmapBlob() function when images. A remote attacker can create a specially crafted image file, pass it to the affected application and perform denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

58) Division by zero

EUVDB-ID: #VU20299

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-14981

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to division by zero error when processing untrusted input in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file. A remote attacker can perform denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

59) Out-of-bounds read

EUVDB-ID: #VU21061

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-15139

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the target system.

The vulnerability exists in "ReadXWDImage" in the "coders/xwd.c" file due to a boundary condition when reading on XWD files. A remote attacker can create a specially crafted XWD image file, trick the victim into opening it, trigger out-of-bounds read error and crash the application.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

60) Use-after-free

EUVDB-ID: #VU21055

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-15140

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system

The vulnerability exists in "ReadImage" in the "MagickCore/constitute.c" file due to a use-after-free error when the affected software does improper memory operations. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

61) Out-of-bounds read

EUVDB-ID: #VU21062

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-15141

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in "WriteTIFFImage" within coders/tiff.c" file. A remote attacker can create a specially crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in "tif_dirwrite.c" of LibTIFF, trick the victim into opening it, trigger out-of-bounds read error and crash the application.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

62) Memory leak

EUVDB-ID: #VU31999

Risk: Medium

CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16708

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within magick/xwindow.c, related to XCreateImage. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

63) Memory leak

EUVDB-ID: #VU31998

Risk: Medium

CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16709

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within coders/dps.c, as demonstrated by XCreateImage. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

64) Memory leak

EUVDB-ID: #VU31997

Risk: Medium

CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16710

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

65) Memory leak

EUVDB-ID: #VU31996

Risk: Medium

CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16711

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within Huffman2DEncodeImage in coders/ps2.c. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

66) Memory leak

EUVDB-ID: #VU31995

Risk: Medium

CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16712

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

67) Memory leak

EUVDB-ID: #VU31994

Risk: Medium

CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16713

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c. A remote attacker can perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

68) Heap-based buffer overflow

EUVDB-ID: #VU30724

Risk: Medium

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17540

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the ReadPSInfo in coders/ps.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

69) Use-after-free

EUVDB-ID: #VU30725

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17541

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

70) Heap-based buffer overflow

EUVDB-ID: #VU24029

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-19948

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due insufficient validation of row and column sizes in the "WriteSGIImage" function of coders/sgi.c. A remote attacker can trigger heap-based buffer overflow and cause a denial of service condition on the target system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

71) Out-of-bounds read

EUVDB-ID: #VU24030

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-19949

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due missing length check prior pointer dereference in the "WritePNGImage" function of coders/png.c, related to Magick_png_write_raw_profile and LocaleNCompare. A remote attacker can cause a denial of service condition on the target system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

72) Memory leak

EUVDB-ID: #VU18390

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7175

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the DecodeImage() function in coders/pcd.c. A remote attacker can create a specially crafted image file and perform denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

73) Memory leak

EUVDB-ID: #VU17707

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-7397

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due a memory leak in the WritePDFImage function, as defined in the coders/pdf.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input and perform denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

74) Memory leak

EUVDB-ID: #VU17705

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-7398

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due a memory leak in the WriteDIBImage function, as defined in the coders/dib.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input and perform denial of service attack.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

75) Stack-based buffer overflow

EUVDB-ID: #VU18391

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-9956

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing a crafted image file in the PopHexPixel() function of coders/ps.c. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages:

i686:
    ImageMagick-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-6.9.10.68-3.22.amzn1.i686
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686
    ImageMagick-perl-6.9.10.68-3.22.amzn1.i686
    ImageMagick-doc-6.9.10.68-3.22.amzn1.i686
    ImageMagick-devel-6.9.10.68-3.22.amzn1.i686

src:
    ImageMagick-6.9.10.68-3.22.amzn1.src

x86_64:
    ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64
    ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

ImageMagick: before 6.9.10.68-3.22

CPE2.3 External links

http://alas.aws.amazon.com/ALAS-2024-1926.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###