CVE-2016-3714

Warnung

EPSS 93.75%
Veröffentlicht 05.05.2016 18:59:03
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 33

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Imagemagick ≫ Imagemagick Version <= 6.9.3-9

Imagemagick ≫ Imagemagick Version7.0.0-0

Imagemagick ≫ Imagemagick Version7.0.1-0

Canonical ≫ Ubuntu Linux Version12.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version14.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version15.10

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Opensuse ≫ Leap Version42.1

Opensuse ≫ Opensuse Version13.2

Suse ≫ Suse Linux Enterprise Server Version12

09.09.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

ImageMagick Improper Input Validation Vulnerability

Schwachstelle

ImageMagick contains an improper input validation vulnerability that affects the EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT coders. This allows a remote attacker to execute arbitrary code via shell metacharacters in a crafted image.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	93.75%	0.999

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.4	2.5	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	10	10	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.4	2.5	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

Third Party Advisory

http://git.imagemagick.org/repos/ImageMagick/blob/a01518e08c840577cabd7d3ff291a9ba735f7276/ChangeLog

Patch

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00024.html

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00025.html

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00028.html

Third Party Advisory