CVE-2016-3714
8.4 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.969 High
EPSS
Percentile
99.7%
The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka โImageTragick.โ
References
git.imagemagick.org/repos/ImageMagick/blob/a01518e08c840577cabd7d3ff291a9ba735f7276/ChangeLog
lists.opensuse.org/opensuse-security-announce/2016-05/msg00024.html
lists.opensuse.org/opensuse-security-announce/2016-05/msg00025.html
lists.opensuse.org/opensuse-security-announce/2016-05/msg00028.html
lists.opensuse.org/opensuse-security-announce/2016-05/msg00032.html
lists.opensuse.org/opensuse-security-announce/2016-05/msg00041.html
lists.opensuse.org/opensuse-security-announce/2016-05/msg00051.html
packetstormsecurity.com/files/152364/ImageTragick-ImageMagick-Proof-Of-Concepts.html
rhn.redhat.com/errata/RHSA-2016-0726.html
www.debian.org/security/2016/dsa-3580
www.debian.org/security/2016/dsa-3746
www.openwall.com/lists/oss-security/2016/05/03/13
www.openwall.com/lists/oss-security/2016/05/03/18
www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
www.rapid7.com/db/modules/exploit/unix/fileformat/imagemagick_delegate
www.securityfocus.com/archive/1/538378/100/0/threaded
www.securityfocus.com/bid/89848
www.securitytracker.com/id/1035742
www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.440568
www.ubuntu.com/usn/USN-2990-1
access.redhat.com/security/vulnerabilities/2296071
bugzilla.redhat.com/show_bug.cgi?id=1332492
imagetragick.com/
security.gentoo.org/glsa/201611-21
www.exploit-db.com/exploits/39767/
www.exploit-db.com/exploits/39791/
www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
www.imagemagick.org/script/changelog.php
www.kb.cert.org/vuls/id/250519
Social References
More
Related
8.4 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.969 High
EPSS
Percentile
99.7%