CVE-2016-3714

Warning

EPSS 93.75%
Published 05.05.2016 18:59:03
Last modified 12.04.2025 10:46:40
Source secalert@redhat.com
Teams watchlist Login
Open Login

The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."

Affected products Warnungen 1 Metrics 4 CWE 1 References 33

Data is provided by the National Vulnerability Database (NVD)

Imagemagick ≫ Imagemagick Version <= 6.9.3-9

Imagemagick ≫ Imagemagick Version7.0.0-0

Imagemagick ≫ Imagemagick Version7.0.1-0

Canonical ≫ Ubuntu Linux Version12.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version14.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version15.10

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Opensuse ≫ Leap Version42.1

Opensuse ≫ Opensuse Version13.2

Suse ≫ Suse Linux Enterprise Server Version12

09.09.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

ImageMagick Improper Input Validation Vulnerability

Vulnerability

ImageMagick contains an improper input validation vulnerability that affects the EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT coders. This allows a remote attacker to execute arbitrary code via shell metacharacters in a crafted image.

Description

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	93.75%	0.999

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.4	2.5	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	10	10	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.4	2.5	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

Third Party Advisory

http://git.imagemagick.org/repos/ImageMagick/blob/a01518e08c840577cabd7d3ff291a9ba735f7276/ChangeLog

Patch

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00024.html

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00025.html

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00028.html

Third Party Advisory