Vulnerability identifier: #VU19185
Vulnerability risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-369
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
ImageMagick
Client/Desktop applications /
Multimedia software
Vendor: ImageMagick.org
Description
The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on a system.
The vulnerability exists due to a divide-by-zero condition in the "RemoveDuplicateLayers" function, as defined in the "MagickCore/layer.c" file. A remote attacker can make calls on the targeted system and cause a DoS condition.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
ImageMagick: 7.0.8-54
External links
http://github.com/ImageMagick/ImageMagick/commit/1ddcf2e4f28029a888cadef2e757509ef5047ad8
http://github.com/ImageMagick/ImageMagick/issues/1629
http://github.com/ImageMagick/ImageMagick6/commit/4f31d78716ac94c85c244efcea368fea202e2ed4
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.