Denial of service in ImageMagick
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2019-7396 CVE-2019-7398 CVE-2019-7395 CVE-2019-7397 |
| CWE-ID | CWE-401 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. |
| Vulnerable software |
ImageMagick Client/Desktop applications / Multimedia software |
| Vendor | ImageMagick.org |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Memory leak
EUVDB-ID: #VU17704
Risk: Low
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7396
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due a memory leak in the ReadSIXELImage function, as defined in the coders/sixel.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input and perform denial of service attack.
MitigationUpdate to version 7.0.8-25.
Vulnerable software versionsImageMagick: 7.0.0-0 - 7.0.8-24
CPE2.3- cpe:2.3:a:imagemagick_org:imagemagick:7.0.0-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.2-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.3-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.4-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.5-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.6-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.7-39:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.8-24:*:*:*:*:*:*:*
https://github.com/ImageMagick/ImageMagick/issues/1452
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Memory leak
EUVDB-ID: #VU17705
Risk: Low
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7398
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due a memory leak in the WriteDIBImage function, as defined in the coders/dib.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input and perform denial of service attack.
MitigationUpdate to version 7.0.8-25.
Vulnerable software versionsImageMagick: 7.0.0-0 - 7.0.8-24
CPE2.3- cpe:2.3:a:imagemagick_org:imagemagick:7.0.0-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.2-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.3-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.4-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.5-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.6-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.7-39:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.8-24:*:*:*:*:*:*:*
https://github.com/ImageMagick/ImageMagick/issues/1453
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Memory leak
EUVDB-ID: #VU17706
Risk: Low
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7395
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due a memory leak in the WritePSDChannel function, as defined in the coders/psd.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input and perform denial of service attack.
MitigationUpdate to version 7.0.8-25.
Vulnerable software versionsImageMagick: 7.0.0-0 - 7.0.8-24
CPE2.3- cpe:2.3:a:imagemagick_org:imagemagick:7.0.0-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.2-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.3-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.4-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.5-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.6-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.7-39:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.8-24:*:*:*:*:*:*:*
https://github.com/ImageMagick/ImageMagick/issues/1451
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Memory leak
EUVDB-ID: #VU17707
Risk: Low
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7397
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due a memory leak in the WritePDFImage function, as defined in the coders/pdf.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input and perform denial of service attack.
MitigationUpdate to version 7.0.8-25.
Vulnerable software versionsImageMagick: 7.0.0-0 - 7.0.8-24
CPE2.3- cpe:2.3:a:imagemagick_org:imagemagick:7.0.0-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.1-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.2-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.3-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.4-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.5-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.6-10:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.7-39:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick_org:imagemagick:7.0.8-24:*:*:*:*:*:*:*
https://github.com/ImageMagick/ImageMagick/issues/1454
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
