CVE-2016-3718

Warning

EPSS 79.25%
Published 05.05.2016 18:59:08
Last modified 12.04.2025 10:46:40
Source secalert@redhat.com
Teams watchlist Login
Open Login

The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image.

Affected products Warnungen 1 Metrics 4 CWE 1 References 22

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Enterprise Linux Desktop Version6.0

Redhat ≫ Enterprise Linux Desktop Version7.0

Redhat ≫ Enterprise Linux Eus Version6.7

Redhat ≫ Enterprise Linux Eus Version7.2

Redhat ≫ Enterprise Linux Eus Version7.3

Redhat ≫ Enterprise Linux Eus Version7.4

Redhat ≫ Enterprise Linux Eus Version7.5

Redhat ≫ Enterprise Linux Eus Version7.6

Redhat ≫ Enterprise Linux Eus Version7.7

Redhat ≫ Enterprise Linux For Ibm Z Systems Version6.0_s390x

Redhat ≫ Enterprise Linux For Ibm Z Systems Version7.0_s390x

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version6.7_s390x

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version7.2_s390x

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version7.3_s390x

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version7.4_s390x

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version7.5_s390x

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version7.6_s390x

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version7.7_s390x

Redhat ≫ Enterprise Linux For Power Big Endian Version6.0_ppc64

Redhat ≫ Enterprise Linux For Power Big Endian Version7.0_ppc64

Redhat ≫ Enterprise Linux For Power Big Endian Eus Version6.7_ppc64

Redhat ≫ Enterprise Linux For Power Big Endian Eus Version7.2_ppc64

Redhat ≫ Enterprise Linux For Power Big Endian Eus Version7.3_ppc64

Redhat ≫ Enterprise Linux For Power Big Endian Eus Version7.4_ppc64

Redhat ≫ Enterprise Linux For Power Big Endian Eus Version7.5_ppc64

Redhat ≫ Enterprise Linux For Power Big Endian Eus Version7.6_ppc64

Redhat ≫ Enterprise Linux For Power Big Endian Eus Version7.7_ppc64

Redhat ≫ Enterprise Linux For Power Little Endian Version7.0_ppc64le

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version7.2_ppc64le

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version7.3_ppc64le

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version7.4_ppc64le

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version7.5_ppc64le

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version7.6_ppc64le

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version7.7_ppc64le

Redhat ≫ Enterprise Linux Hpc Node Version6.0

Redhat ≫ Enterprise Linux Hpc Node Version7.0

Redhat ≫ Enterprise Linux Hpc Node Eus Version7.2

Redhat ≫ Enterprise Linux Server Version6.0

Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Enterprise Linux Server Aus Version7.2

Redhat ≫ Enterprise Linux Server Aus Version7.3

Redhat ≫ Enterprise Linux Server Aus Version7.4

Redhat ≫ Enterprise Linux Server Aus Version7.6

Redhat ≫ Enterprise Linux Server Aus Version7.7

Redhat ≫ Enterprise Linux Server From Rhui Version6.0

Redhat ≫ Enterprise Linux Server From Rhui Version7.0

Redhat ≫ Enterprise Linux Server Supplementary Eus Version6.7z

Redhat ≫ Enterprise Linux Server Tus Version7.2

Redhat ≫ Enterprise Linux Server Tus Version7.3

Redhat ≫ Enterprise Linux Server Tus Version7.6

Redhat ≫ Enterprise Linux Server Tus Version7.7

Redhat ≫ Enterprise Linux Workstation Version6.0

Redhat ≫ Enterprise Linux Workstation Version7.0

Imagemagick ≫ Imagemagick Version < 6.9.3-10

Imagemagick ≫ Imagemagick Version7.0.0-0

Imagemagick ≫ Imagemagick Version7.0.1-0

Canonical ≫ Ubuntu Linux Version12.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version14.04 SwEditionesm

Canonical ≫ Ubuntu Linux Version15.10

Canonical ≫ Ubuntu Linux Version16.04 SwEditionesm

Oracle ≫ Linux Version6 Update-

Oracle ≫ Linux Version7 Update-

Oracle ≫ Solaris Version10

Oracle ≫ Solaris Version11.3

Suse ≫ Linux Enterprise Debuginfo Version11 Updatesp2

Suse ≫ Linux Enterprise Debuginfo Version11 Updatesp3

Suse ≫ Linux Enterprise Debuginfo Version11 Updatesp4

Suse ≫ Manager Version2.1

Suse ≫ Manager Proxy Version2.1

Suse ≫ Openstack Cloud Version5

Opensuse ≫ Leap Version42.1

Opensuse ≫ Opensuse Version13.2

Suse ≫ Linux Enterprise Desktop Version12 Update-

Suse ≫ Linux Enterprise Desktop Version12 Updatesp1

Suse ≫ Linux Enterprise Server Version11 Updatesp2 SwEditionltss

Suse ≫ Linux Enterprise Server Version11 Updatesp3 SwEditionltss

Suse ≫ Linux Enterprise Server Version11 Updatesp4

Suse ≫ Linux Enterprise Server Version12 Update-

Suse ≫ Linux Enterprise Server Version12 Updatesp1

Suse ≫ Linux Enterprise Software Development Kit Version11 Updatesp4

Suse ≫ Linux Enterprise Software Development Kit Version12 Update-

Suse ≫ Linux Enterprise Software Development Kit Version12 Updatesp1

Suse ≫ Linux Enterprise Workstation Extension Version12 Update-

Suse ≫ Linux Enterprise Workstation Extension Version12 Updatesp1

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

ImageMagick Server-Side Request Forgery (SSRF) Vulnerability

Vulnerability

ImageMagick contains an unspecified vulnerability that allows attackers to perform server-side request forgery (SSRF) via a crafted image.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	79.25%	0.99

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

Third Party Advisory

http://git.imagemagick.org/repos/ImageMagick/blob/a01518e08c840577cabd7d3ff291a9ba735f7276/ChangeLog

Patch

Vendor Advisory

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00024.html

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00025.html

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00028.html