PT-2016-3364 · Imagemagick+5 · Imagemagick+5

Nikolay Ermishkin

Published

2016-05-03

Updated

2025-04-02

CVE-2016-3718

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions ImageMagick versions 6.9.3-10 and earlier ImageMagick versions 7.x prior to 7.0.1-1

Description The issue is related to the implementation of the HTTP and FTP protocols in ImageMagick, which allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image. This is due to insufficient authentication of executed requests. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited.

Recommendations For ImageMagick versions 6.9.3-10 and earlier, update to version 6.9.3-10 or later. For ImageMagick versions 7.x prior to 7.0.1-1, update to version 7.0.1-1 or later. As a temporary workaround, consider restricting access to the HTTP and FTP coders until a patch is available.

Exploit

Fix

CSRF

RCE

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352CWE-20CWE-918

Related Identifiers

ALT-PU-2016-1456

BDU:2021-05612

CESA-2016_0726

CVE-2016-3718

DLA-1401-1

DLA-484-1

DLA-486-1

DSA-3580-1

MGASA-2016-0188

OPENSUSE-SU-2016_1261-1

OPENSUSE-SU-2016_1266-1

OPENSUSE-SU-2016_1326-1

OPENSUSE-SU-2024:10040-1

OPENSUSE-SU-2024:10505-1

RHSA-2016:0726

RHSA-2016_0726

SUSE-SU-2016:1260-1

SUSE-SU-2016:1275-1

SUSE-SU-2016:1276-1

USN-2990-1

Affected Products

Alt Linux

Centos

Imagemagick

Red Hat

Suse

Ubuntu

PT-2016-3364 · Imagemagick+5 · Imagemagick+5

CVE-2016-3718

Weakness Enumeration

Related Identifiers

Affected Products

References · 71