7.5

CVE-2017-9098

Exploit
ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ImagemagickImagemagick Version < 6.9.8-1
ImagemagickImagemagick Version >= 7.0.0-0 < 7.0.5-2
GraphicsmagickGraphicsmagick Version < 1.3.24
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.57% 0.879
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-908 Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html
Third Party Advisory
Mailing List
http://www.debian.org/security/2017/dsa-3863
Third Party Advisory
http://hg.code.sf.net/p/graphicsmagick/code/diff/0a5b75e019b6/coders/rle.c
Patch
Third Party Advisory
http://www.securityfocus.com/bid/98593
Third Party Advisory
VDB Entry
https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b
Patch
Third Party Advisory
https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html
Third Party Advisory
Exploit
Technical Description