CVE-2017-14650

Exploit

EPSS 3%
Published 21.09.2017 17:29:00
Last modified 20.04.2025 01:37:25
Source cve@mitre.org
Teams watchlist Login
Open Login

A Remote Code Execution vulnerability has been found in the Horde_Image library when using the "Im" backend that utilizes ImageMagick's "convert" utility. It's not exploitable through any Horde application, because the code path to the vulnerability is not used by any Horde code. Custom applications using the Horde_Image library might be affected. This vulnerability affects all versions of Horde_Image from 2.0.0 to 2.5.1, and is fixed in 2.5.2. The problem is missing input validation of the index field in _raw() during construction of an ImageMagick command line.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Horde ≫ Horde Image Api Version2.0.0

Horde ≫ Horde Image Api Version2.0.0 Updatealpha1

Horde ≫ Horde Image Api Version2.0.0 Updatebeta1

Horde ≫ Horde Image Api Version2.0.0 Updatebeta2

Horde ≫ Horde Image Api Version2.0.1

Horde ≫ Horde Image Api Version2.0.2

Horde ≫ Horde Image Api Version2.0.3

Horde ≫ Horde Image Api Version2.0.4

Horde ≫ Horde Image Api Version2.0.5

Horde ≫ Horde Image Api Version2.0.6

Horde ≫ Horde Image Api Version2.0.7

Horde ≫ Horde Image Api Version2.0.8

Horde ≫ Horde Image Api Version2.0.9

Horde ≫ Horde Image Api Version2.1.0

Horde ≫ Horde Image Api Version2.2.0

Horde ≫ Horde Image Api Version2.3.0

Horde ≫ Horde Image Api Version2.3.1

Horde ≫ Horde Image Api Version2.3.2

Horde ≫ Horde Image Api Version2.3.3

Horde ≫ Horde Image Api Version2.3.4

Horde ≫ Horde Image Api Version2.3.5

Horde ≫ Horde Image Api Version2.3.6

Horde ≫ Horde Image Api Version2.4.0

Horde ≫ Horde Image Api Version2.4.1

Horde ≫ Horde Image Api Version2.5.0

Horde ≫ Horde Image Api Version2.5.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	3%	0.854

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://www.debian.org/security/2018/dsa-4276

http://www.openwall.com/lists/oss-security/2017/09/21/4

Third Party Advisory

Mailing List

https://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b

Third Party Advisory

Exploit

https://marc.info/?l=horde-announce&m=150600299528079&w=2

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2017-14650

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-14650

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-14650

EUVD