Denial of service in GraphicsMagick
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2017-18231 CVE-2017-18230 CVE-2017-18229 CVE-2017-18219 CVE-2017-18220 |
| CWE-ID | CWE-476 CWE-119 CWE-789 CWE-416 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
GraphicsMagick Universal components / Libraries / Libraries used by multiple products |
| Vendor | GraphicsMagick Group |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) NULL pointer dereference
EUVDB-ID: #VU11147
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-18231
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the ReadEnhMetaFile function due to NULL pointer dereference. A remote attacker can send a specially crafted file, trick the victim into opnening it and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsGraphicsMagick: 1.3.26
CPE2.3 External linkshttps://sourceforge.net/p/graphicsmagick/bugs/475/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) NULL pointer dereference
EUVDB-ID: #VU11148
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-18230
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the ReadCINEONImage function due to NULL pointer dereference. A remote attacker can send a specially crafted file, trick the victim into opening it and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsGraphicsMagick: 1.3.26
CPE2.3 External linkshttps://sourceforge.net/p/graphicsmagick/bugs/473/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Memory corruption
EUVDB-ID: #VU11149
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2017-18229
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the ReadTIFFImage function due to memory allocation. A remote attacker can send a specially crafted file, trick the victim into opening it, trigger memory corruption and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsGraphicsMagick: 1.3.26
CPE2.3 External linkshttps://sourceforge.net/p/graphicsmagick/bugs/461/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Memory corruption
EUVDB-ID: #VU11159
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-18219
CWE-ID:
CWE-789 - Uncontrolled Memory Allocation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenicated attacker to cause DoS condition on the target system.
The weakness exists in the ReadOnePNGImage function due to memory allocation. A remote attacker can submit a specially crafted file, trigger memory corruption and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsGraphicsMagick: 1.3.26
CPE2.3 External linkshttps://sourceforge.net/p/graphicsmagick/bugs/459/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free error
EUVDB-ID: #VU11160
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-18220
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists in the ReadOneJNGImage and ReadJNGImagefunctions due to use after free. A remote attacker can submit a specially crafted file, trigger memory corruption and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsGraphicsMagick: 1.3.26
CPE2.3 External linkshttps://sourceforge.net/p/graphicsmagick/bugs/438/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
