Multiple vulnerabilities in ImageMagick
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2017-6498 CVE-2017-6499 CVE-2017-6500 |
| CWE-ID | CWE-20 CWE-125 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ImageMagick Client/Desktop applications / Multimedia software Debian Linux Operating systems & Components / Operating system |
| Vendor |
ImageMagick.org Debian |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU39581
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-6498
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files could trigger assertion failures, thus leading to DoS.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 6.9.7
Debian Linux: 6.9.7 - 9.0
CPE2.3- cpe:2.3:a:imagemagick_org:imagemagick:6.9.7:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:6.9.7:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
http://www.debian.org/security/2017/dsa-3808
http://www.securityfocus.com/bid/96591
http://bugs.debian.org/856878
http://github.com/ImageMagick/ImageMagick/commit/65f75a32a93ae4044c528a987a68366ecd4b46b9
http://github.com/ImageMagick/ImageMagick/pull/359
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU39582
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-6499
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in Magick++ in ImageMagick 6.9.7. A specially crafted file creating a nested exception could lead to a memory leak (thus, a DoS).
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 6.9.7
Debian Linux: 6.9.7 - 9.0
CPE2.3- cpe:2.3:a:imagemagick_org:imagemagick:6.9.7:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:6.9.7:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
http://www.debian.org/security/2017/dsa-3808
http://www.securityfocus.com/bid/96590
http://bugs.debian.org/856880
http://github.com/ImageMagick/ImageMagick/commit/3358f060fc182551822576b2c0a8850faab5d543
http://www.imagemagick.org/discourse-server/viewtopic.php?f=23&p=142634
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds read
EUVDB-ID: #VU39583
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-6500
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in ImageMagick 6.9.7. A specially crafted sun file triggers a heap-based buffer over-read.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 6.9.7
Debian Linux: 6.9.7 - 9.0
CPE2.3- cpe:2.3:a:imagemagick_org:imagemagick:6.9.7:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:6.9.7:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
http://www.debian.org/security/2017/dsa-3808
http://www.securityfocus.com/bid/96592
http://bugs.debian.org/856879
http://github.com/ImageMagick/ImageMagick/commit/3007531bfd326c5c1e29cd41d2cd80c166de8528
http://github.com/ImageMagick/ImageMagick/issues/375
http://github.com/ImageMagick/ImageMagick/issues/376
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
