Amazon Linux AMI update for php71-pecl-imagick
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 73 |
| CVE-ID | CVE-2017-1000476 CVE-2017-11166 CVE-2017-12805 CVE-2017-12806 CVE-2017-18251 CVE-2017-18252 CVE-2017-18254 CVE-2017-18271 CVE-2017-18273 CVE-2018-10177 CVE-2018-10804 CVE-2018-10805 CVE-2018-11656 CVE-2018-12599 CVE-2018-12600 CVE-2018-13153 CVE-2018-14434 CVE-2018-14435 CVE-2018-14436 CVE-2018-14437 CVE-2018-15607 CVE-2018-16328 CVE-2018-16749 CVE-2018-16750 CVE-2018-18544 CVE-2018-20467 CVE-2018-8804 CVE-2018-9133 CVE-2019-10131 CVE-2019-10650 CVE-2019-11470 CVE-2019-11472 CVE-2019-11597 CVE-2019-11598 CVE-2019-12974 CVE-2019-12975 CVE-2019-12976 CVE-2019-12978 CVE-2019-12979 CVE-2019-13133 CVE-2019-13134 CVE-2019-13135 CVE-2019-13295 CVE-2019-13297 CVE-2019-13300 CVE-2019-13301 CVE-2019-13304 CVE-2019-13305 CVE-2019-13306 CVE-2019-13307 CVE-2019-13309 CVE-2019-13310 CVE-2019-13311 CVE-2019-13454 CVE-2019-14980 CVE-2019-14981 CVE-2019-15139 CVE-2019-15140 CVE-2019-15141 CVE-2019-16708 CVE-2019-16709 CVE-2019-16710 CVE-2019-16711 CVE-2019-16712 CVE-2019-16713 CVE-2019-17540 CVE-2019-17541 CVE-2019-19948 CVE-2019-19949 CVE-2019-7175 CVE-2019-7397 CVE-2019-7398 CVE-2019-9956 |
| CWE-ID | CWE-400 CWE-20 CWE-401 CWE-835 CWE-787 CWE-476 CWE-119 CWE-617 CWE-415 CWE-399 CWE-193 CWE-125 CWE-369 CWE-665 CWE-122 CWE-121 CWE-416 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #18 is available. Public exploit code for vulnerability #25 is available. Public exploit code for vulnerability #26 is available. Public exploit code for vulnerability #31 is available. Public exploit code for vulnerability #34 is available. Public exploit code for vulnerability #54 is available. Public exploit code for vulnerability #57 is available. Public exploit code for vulnerability #68 is available. Public exploit code for vulnerability #69 is available. Public exploit code for vulnerability #71 is available. Public exploit code for vulnerability #72 is available. |
| Vulnerable software |
Amazon Linux AMI Operating systems & Components / Operating system php71-pecl-imagick Operating systems & Components / Operating system package or component |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 73 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU12632
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-1000476
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the function ReadDDSInfo in coders/dds.c due to CPU exhaustion. A remote attacker can cause the service to crash.
Update the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU38717
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-11166
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The ReadXWDImage function in codersxwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU19188
Risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-12805
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a memory consumption condition in the "ReadTIFFImage()" function. A remote attacker can send a specially crafted file to the targeted system, trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Resource exhaustion
EUVDB-ID: #VU19048
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-12806
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory exhaustion when processing images within the format8BIM() function. A remote attacker can create a specially crafted image, pass it to the affected application and consume all available memory on the system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Memory leak
EUVDB-ID: #VU12639
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-18251
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the function ReadPCDImage in coders/pcd.c due to memory leak. A remote attacker can trick the victim into opening a specially crafted file and cause the service to crash.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper input validation
EUVDB-ID: #VU12640
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-18252
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the MogrifyImageList function in MagickWand/mogrify.c due to assertion failure. A remote attacker can trick the victim into opening a specially crafted file and cause the service to crash.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Memory leak
EUVDB-ID: #VU12641
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-18254
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the function WriteGIFImage in coders/gif.c due to memory leak. A remote attacker can trick the victim into opening a specially crafted file and cause the service to crash.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Infinite loop
EUVDB-ID: #VU13039
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-18271
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to infinite loop in the function ReadMIFFImage in coders/miff.c. A remote attacker can submit a specially crafted MIFF image file, trigger CPU exhaustion and cause the service to crash.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Infinite loop
EUVDB-ID: #VU46331
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-18273
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call. A remote attacker can consume all available system resources and trigger denial of service condition.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Infinite loop
EUVDB-ID: #VU12642
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-10177
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the ReadOneMNGImage function of the coders/png.c file due to infinite loop. A remote attacker can trick the victim into opening a specially crafted mng file and cause the service to crash.
Update the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Memory leak
EUVDB-ID: #VU13579
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-10804
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within WriteTIFFImage in coders/tiff.c. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Memory leak
EUVDB-ID: #VU13580
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-10805
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ReadYCBCRImage in coders/ycbcr.c. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Memory leak
EUVDB-ID: #VU79926
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11656
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadDCMImage() function in coders/dcm.c. A remote attacker can perform a denial of service attack via a a crafted DCM image file.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Out-of-bounds write
EUVDB-ID: #VU13872
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-12599
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists in ReadBMPImage and WriteBMPImage in coders/bmp.c due to out-of-bounds write. A remote unauthenticated attacker can trick the victim into opening a specially crafted file and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Out-of-bounds write
EUVDB-ID: #VU13873
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-12600
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists in ReadDIBImage and WriteDIBImage in coders/dib. due to out-of-bounds write. A remote unauthenticated attacker can trick the victim into opening a specially crafted file and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Memory leak
EUVDB-ID: #VU13584
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-13153
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the XMagickCommand function in MagickCore/animate.c. A remote attacker can trick the victim into opening a specially crafted image file, consume excessive memory and cause the service to crash.
Update the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Input validation error
EUVDB-ID: #VU33729
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-14434
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Memory leak
EUVDB-ID: #VU14465
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-14435
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to memory leak in DecodeImage in coders/pcd.c. A remote attacker can trick the victim into opening a specially crafted input, trigger memory corruption and cause the service to crash.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
19) Memory leak
EUVDB-ID: #VU33480
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-14436
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ReadMIFFImage in coders/miff.c. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Memory leak
EUVDB-ID: #VU33481
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-14437
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within parse8BIM in coders/meta.c. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Resource exhaustion
EUVDB-ID: #VU33483
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15607
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Null pointer dereference
EUVDB-ID: #VU14609
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-16328
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists in the CheckEventLogging function of ImageMagick due to boundary error when processing malicious input. A remote attacker can trick the victim into accessing an image file that submits malicious input, trigger a NULL pointer dereference condition in the CheckEventLogging function, as defined in the MagickCore/log.c source code file and cause the service to crash.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Reachable Assertion
EUVDB-ID: #VU14739
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-16749
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a missing NULL check in ReadOneJNGImage() function in coders/png.c. A remote attacker can trigger an assertion failure with a specially crafted image file and crash the vulnerable application.
Update the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Memory leak
EUVDB-ID: #VU14738
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-16750
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the formatIPTCfromBuffer() function in coders/meta.c. A remote attacker can perform a denial of service attack via a specially crafted image file.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Memory leak
EUVDB-ID: #VU15461
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-18544
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to memory leak in the WriteMSLImage function, as defined in the coders/msl.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input, trigger memory leak and cause the service to crash.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
26) Infinite loop
EUVDB-ID: #VU16711
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-20467
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in coders/bmp.c. A remote attacker can trick the victim into opening a specially crafted file, consume all available system resources and cause denial of service conditions.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
27) Double free error
EUVDB-ID: #VU11817
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-8804
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in WriteEPTImage in coders/ept.c due to double free error. A remote attacker can trick the victim into opening a specially crafted file and cause the service to crash.
Update the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Resource management error
EUVDB-ID: #VU13583
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-9133
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due resource management error in the DecodeLabImage and EncodeLabImage functions in coders/tiff.c file. A remote attacker can perform a denial of service attack via a crafted tiff file.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) Off-by-one
EUVDB-ID: #VU18573
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-10131
CWE-ID:
CWE-193 - Off-by-one Error
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to an off-by-one read error in the formatIPTCfromBuffer function in coders/meta.c. A remote attacker can pass specially crafted image file the to affected application, trigger an off-by-one read error and perform denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Out-of-bounds read
EUVDB-ID: #VU18389
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-10650
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in the WriteTIFFImage() function in coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
31) Resource exhaustion
EUVDB-ID: #VU19020
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-11470
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a lack of checks for insufficient image data in a file in the "ReadCINImage()" function, as defined in the "coders/cin.c" file. A remote attacker can send a specially crafted Cineon image with an incorrect claimed image size, trick a user into opening it, trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
32) Division by zero
EUVDB-ID: #VU32024
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11472
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
33) Out-of-bounds read
EUVDB-ID: #VU32023
Risk: High
CVSSv3.1: 7.1 [AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11597
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
34) Out-of-bounds read
EUVDB-ID: #VU19019
Risk: Medium
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-11598
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to access sensitive information or cause a denial of service (DoS) condition.
The vulnerability exists due to a boundary condition in the "WritePNMImage()" function in the "coders/pnm.c" file. A remote attacker can send a specially crafted image file (related to SetGrayscaleImage in MagickCore/quantize.c.), trick the victim into opening it, trigger out-of-bounds read error, get access to sensitive information or cause a DoS condition on the targeted system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
35) NULL pointer dereference
EUVDB-ID: #VU35780
Risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12974
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a crafted image.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
36) Resource management error
EUVDB-ID: #VU35781
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12975
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
ImageMagick 7.0.8-34 has a memory leak vulnerability in the WriteDPXImage function in coders/dpx.c.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
37) Memory leak
EUVDB-ID: #VU35782
Risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12976
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadPCLImage function in coders/pcl.c. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
38) Improper Initialization
EUVDB-ID: #VU35784
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12978
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the ReadPANGOImage function in coders/pango.c.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
39) Improper Initialization
EUVDB-ID: #VU35785
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12979
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
40) Resource management error
EUVDB-ID: #VU21068
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13133
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a memory leak in the "ReadBMPImage" function in the "coders/bmp.c" file. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
41) Resource management error
EUVDB-ID: #VU21094
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13134
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a memory leak in the "ReadVIFFImage" function in the "coders/viff.c" file. A remote attacker can cause a denial of service condition on the target system.
Update the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
42) Input validation error
EUVDB-ID: #VU21095
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13135
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use of uninitialized value in the "ReadCUTImage" function in the "coders/cut.c" file. A remote attacker can execute arbitrary command on the target system.
Update the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
43) Out-of-bounds read
EUVDB-ID: #VU21063
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13295
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read error in "AdaptiveThresholdImage" in the "MagickCore/threshold.c" file because a width of zero is mishandled. A remote attacker can trick the victim to open a specially crafted file, trigger out-of-bounds read error and crash the application.
Mitigation
Update the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
44) Out-of-bounds read
EUVDB-ID: #VU21070
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13297
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in AdaptiveThresholdImage in the "MagickCore/threshold.c" file because a height of zero is mishandled. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
45) Heap-based buffer overflow
EUVDB-ID: #VU21073
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13300
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the EvaluateImages in the "MagickCore/statistic.c" file because of mishandling columns. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
46) Resource management error
EUVDB-ID: #VU21069
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13301
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists because of a memory leak in AcquireMagickMemory due to an AnnotateImage error. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
47) Stack-based buffer overflow
EUVDB-ID: #VU21076
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13304
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WritePNMImage in the "coders/pnm.c" file because of a misplaced assignment. A remote attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
48) Stack-based buffer overflow
EUVDB-ID: #VU21077
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13305
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WritePNMImage in the coders/pnm.c file because of a misplaced "strncpy" and "an off-by-one" error. A remote attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
49) Stack-based buffer overflow
EUVDB-ID: #VU21078
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13306
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WritePNMImage in the "coders/pnm.c" file because of "off-by-one" errors. A remote attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
50) Heap-based buffer overflow
EUVDB-ID: #VU21079
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13307
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the EvaluateImages in the "MagickCore/statistic.c" file because of mishandling rows. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
51) Resource management error
EUVDB-ID: #VU21066
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13309
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists because of a memory leak in AcquireMagickMemory due to mishandling the NoSuchImage error in CLIListOperatorImages in the "MagickWand/operation.c" file. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
52) Resource management error
EUVDB-ID: #VU21067
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13310
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists because of a memory leak in AcquireMagickMemory due to an error in "MagickWand/mogrify.c" file. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
53) Resource management error
EUVDB-ID: #VU21065
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13311
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a memory leak in AcquireMagickMemory due to an error in the "wand/mogrify.c" file. A remote attacker can perform a denial of service attack on the target system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
54) Division by zero
EUVDB-ID: #VU19185
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-13454
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause a denial of service (DoS) condition on a system.
The vulnerability exists due to a divide-by-zero condition in the "RemoveDuplicateLayers" function, as defined in the "MagickCore/layer.c" file. A remote attacker can make calls on the targeted system and cause a DoS condition.
Update the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
55) Use-after-free
EUVDB-ID: #VU20300
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-14980
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the UnmapBlob() function when images. A remote attacker can create a specially crafted image file, pass it to the affected application and perform denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
56) Division by zero
EUVDB-ID: #VU20299
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-14981
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to division by zero error when processing untrusted input in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file. A remote attacker can perform denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
57) Out-of-bounds read
EUVDB-ID: #VU21061
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-15139
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
Description
The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on the target system.
The vulnerability exists in "ReadXWDImage" in the "coders/xwd.c" file due to a boundary condition when reading on XWD files. A remote attacker can create a specially crafted XWD image file, trick the victim into opening it, trigger out-of-bounds read error and crash the application.
Update the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
58) Use-after-free
EUVDB-ID: #VU21055
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-15140
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system
The vulnerability exists in "ReadImage" in the "MagickCore/constitute.c" file due to a use-after-free error when the affected software does improper memory operations. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Update the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
59) Out-of-bounds read
EUVDB-ID: #VU21062
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-15141
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in "WriteTIFFImage" within coders/tiff.c" file. A remote attacker can create a specially crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in "tif_dirwrite.c" of LibTIFF, trick the victim into opening it, trigger out-of-bounds read error and crash the application.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
60) Memory leak
EUVDB-ID: #VU31999
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16708
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within magick/xwindow.c, related to XCreateImage. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
61) Memory leak
EUVDB-ID: #VU31998
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16709
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within coders/dps.c, as demonstrated by XCreateImage. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
62) Memory leak
EUVDB-ID: #VU31997
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16710
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
63) Memory leak
EUVDB-ID: #VU31996
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16711
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within Huffman2DEncodeImage in coders/ps2.c. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
64) Memory leak
EUVDB-ID: #VU31995
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16712
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
65) Memory leak
EUVDB-ID: #VU31994
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16713
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
66) Heap-based buffer overflow
EUVDB-ID: #VU30724
Risk: Medium
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-17540
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the ReadPSInfo in coders/ps.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
67) Use-after-free
EUVDB-ID: #VU30725
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-17541
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
68) Heap-based buffer overflow
EUVDB-ID: #VU24029
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-19948
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due insufficient validation of row and column sizes in the "WriteSGIImage" function of coders/sgi.c. A remote attacker can trigger heap-based buffer overflow and cause a denial of service condition on the target system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
69) Out-of-bounds read
EUVDB-ID: #VU24030
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-19949
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due missing length check prior pointer dereference in the "WritePNGImage" function of coders/png.c, related to Magick_png_write_raw_profile and LocaleNCompare. A remote attacker can cause a denial of service condition on the target system.
Update the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
70) Memory leak
EUVDB-ID: #VU18390
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-7175
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in the DecodeImage() function in coders/pcd.c. A remote attacker can create a specially crafted image file and perform denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
71) Memory leak
EUVDB-ID: #VU17707
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7397
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due a memory leak in the WritePDFImage function, as defined in the coders/pdf.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input and perform denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
72) Memory leak
EUVDB-ID: #VU17705
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7398
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due a memory leak in the WriteDIBImage function, as defined in the coders/dib.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input and perform denial of service attack.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
73) Stack-based buffer overflow
EUVDB-ID: #VU18391
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-9956
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing a crafted image file in the PopHexPixel() function of coders/ps.c. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
php71-pecl-imagick-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686
src:
php71-pecl-imagick-3.4.4-2.8.amzn1.src
x86_64:
php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64
php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64
Amazon Linux AMI: All versions
php71-pecl-imagick: before 3.4.4-2.8
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:
- cpe:2.3:o:amazon_web_services:php71-pecl-imagick:*:*:*:*:*:amazon_linux_ami:*:
http://alas.aws.amazon.com/ALAS-2023-1814.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
