10

CVE-2016-3714

Warnung
The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ImagemagickImagemagick Version <= 6.9.3-9
ImagemagickImagemagick Version7.0.0-0
ImagemagickImagemagick Version7.0.1-0
CanonicalUbuntu Linux Version12.04 SwEditionlts
CanonicalUbuntu Linux Version14.04 SwEditionlts
CanonicalUbuntu Linux Version15.10
CanonicalUbuntu Linux Version16.04 SwEditionlts
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
OpensuseLeap Version42.1
OpensuseOpensuse Version13.2

09.09.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

ImageMagick Improper Input Validation Vulnerability

Schwachstelle

ImageMagick contains an improper input validation vulnerability that affects the EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT coders. This allows a remote attacker to execute arbitrary code via shell metacharacters in a crafted image.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 97.49% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.4 2.5 5.9
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 10 10 10
AV:N/AC:L/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.4 2.5 5.9
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
Third Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
Third Party Advisory
http://git.imagemagick.org/repos/ImageMagick/blob/a01518e08c840577cabd7d3ff291a9ba735f7276/ChangeLog
Patch
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00024.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00025.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00028.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00032.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00041.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00051.html
Third Party Advisory
http://packetstormsecurity.com/files/152364/ImageTragick-ImageMagick-Proof-Of-Concepts.html
Third Party Advisory
VDB Entry
http://rhn.redhat.com/errata/RHSA-2016-0726.html
Third Party Advisory
http://www.debian.org/security/2016/dsa-3580
Third Party Advisory
http://www.debian.org/security/2016/dsa-3746
Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/05/03/13
Mailing List
http://www.openwall.com/lists/oss-security/2016/05/03/18
Mailing List
http://www.rapid7.com/db/modules/exploit/unix/fileformat/imagemagick_delegate
Third Party Advisory
http://www.securityfocus.com/archive/1/538378/100/0/threaded
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/89848
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1035742
Third Party Advisory
VDB Entry
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.440568
Third Party Advisory
http://www.ubuntu.com/usn/USN-2990-1
Third Party Advisory
https://access.redhat.com/security/vulnerabilities/2296071
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1332492
Issue Tracking
https://imagetragick.com/
Vendor Advisory
https://security.gentoo.org/glsa/201611-21
Third Party Advisory
https://www.exploit-db.com/exploits/39767/
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/39791/
Third Party Advisory
VDB Entry
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
Vendor Advisory
https://www.imagemagick.org/script/changelog.php
Vendor Advisory
https://www.kb.cert.org/vuls/id/250519
Third Party Advisory
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3714
US Government Resource