Out-of-bounds write in ImageMagick - CVE-2016-8707
Published: December 24, 2016 / Updated: August 9, 2020
Vulnerability identifier: #VU39961
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-8707
CWE-ID: CWE-787
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ImageMagick.org
Affected software:
ImageMagick
ImageMagick
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An exploitable out of bounds write exists in the handling of compressed TIFF images in ImageMagicks's convert utility. A crafted TIFF document can lead to an out of bounds write which in particular circumstances could be leveraged into remote code execution. The vulnerability can be triggered through any user controlled TIFF that is handled by this functionality.
How to mitigate CVE-2016-8707
Install update from vendor's website.