PT-2016-1813 · Imagemagick+5 · Imagemagick+5

Nikolay Ermishkin

+1

·

Published

2016-05-05

·

Updated

2025-01-28

·

CVE-2016-3714

CVSS v2.0

10

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions ImageMagick versions prior to 6.9.3-10 ImageMagick versions 7.x prior to 7.0.1-1
Description The issue exists due to insufficient input validation in the EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT coders of the ImageMagick console graphics editor. This allows a remote attacker to execute arbitrary code using metacharacters in a specially crafted image.
Recommendations For ImageMagick versions prior to 6.9.3-10, update to version 6.9.3-10 or later. For ImageMagick versions 7.x prior to 7.0.1-1, update to version 7.0.1-1 or later. As a temporary workaround, consider disabling the vulnerable coders until a patch is available. Restrict access to the EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT coders to minimize the risk of exploitation. Avoid using shell metacharacters in crafted images until the issue is resolved.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2016-1456
ALT-PU-2016-1580
ALT-PU-2018-2652
BDU:2016-01146
CESA-2016_0726
CESA-2016_1237
CVE-2016-3714
DLA-484-1
DLA-486-1
DSA-3580-1
DSA-3746-1
ELSA-2016-0726
MGASA-2016-0188
OPENSUSE-SU-2016_1261-1
OPENSUSE-SU-2016_1266-1
OPENSUSE-SU-2016_1326-1
OPENSUSE-SU-2024:10040-1
OPENSUSE-SU-2024:10505-1
OPENSUSE-SU-2024:10860-1
RHSA-2016:0726
RHSA-2016_0726
RHSA-2016_1237
SUSE-SU-2016:1260-1
SUSE-SU-2016:1275-1
SUSE-SU-2016:1276-1
SUSE-SU-2016:1301-1
SUSE-SU-2016_1260-1
SUSE-SU-2016_1275-1
SUSE-SU-2016_1276-1
SUSE-SU-2016_1301-1
USN-2990-1

Affected Products

Alt Linux
Centos
Imagemagick
Red Hat
Suse
Ubuntu