#VU38565 Input validation error in ImageMagick - CVE-2017-12668


| Updated: 2020-08-08

Vulnerability identifier: #VU38565

Vulnerability risk: High

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-12668

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ImageMagick
Client/Desktop applications / Multimedia software

Vendor: ImageMagick.org

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePCXImage in coders/pcx.c.

Mitigation
Install update from vendor's website.

Vulnerable software versions

ImageMagick: 7.0.6-2

External links
https://github.com/ImageMagick/ImageMagick/commit/560e6e512961008938aa1d1b9aab06347b1c8f9b
https://github.com/ImageMagick/ImageMagick/issues/575

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in ImageMagick