#VU38564 Input validation error in ImageMagick - CVE-2017-12667


| Updated: 2020-08-08

Vulnerability identifier: #VU38564

Vulnerability risk: High

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-12667

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ImageMagick
Client/Desktop applications / Multimedia software

Vendor: ImageMagick.org

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadMATImage in codersmat.c.

Mitigation
Install update from vendor's website.

Vulnerable software versions

ImageMagick: 7.0.6-1

External links
https://github.com/ImageMagick/ImageMagick/commit/8985ed08f01d465ee65ab5a106186b3868b6f601
https://github.com/ImageMagick/ImageMagick/issues/553

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in ImageMagick