CVE-2017-14650

Name of the Vulnerable Software and Affected Versions Horde Image versions 2.0.0 through 2.5.1

Description A Remote Code Execution issue has been found in the Horde Image library when using the "Im" backend that utilizes ImageMagick's "convert" utility. This issue is not exploitable through any Horde application, as the vulnerable code path is not used by any Horde code. However, custom applications using the Horde Image library might be affected. The problem stems from missing input validation of the index field in raw() during the construction of an ImageMagick command line.

Recommendations For Horde Image versions 2.0.0 through 2.5.1, update to version 2.5.2 to resolve the issue. As a temporary workaround, consider disabling the use of the "Im" backend or restricting access to the raw() function until the update can be applied.