K29154575 : ImageMagick vulnerability CVE-2016-3717

2016-05-1300:00:00

my.f5.com

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

Low

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:C/I:N/A:N

0.886 High

EPSS

Percentile

98.5%

JSON

Security Advisory Description

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image. (CVE-2016-3717)
Note: This vulnerability is one of the series of vulnerabilities known as ImageTragick.
Impact
Exploiting this vulnerability may allow an attacker to read limited arbitrary files. It does not result in an output file that is controlled by the attacker. BIG-IP systems that use a WebAcceleration profile configured with the Image Optimization settings (AAM, WebAccelerator, and Edge Gateway) are vulnerable to this issue. BIG-IQ and Enterprise Manager systems are not vulnerable in their default configuration; however, the vulnerable code exists on these systems and can be made exploitable if the mogrify binary is used to perform image optimization remotely.

CPENameOperatorVersion
f5 websafeeq1.0.0
linerateeq2.4.0
linerateeq2.4.1
linerateeq2.4.2
linerateeq2.4.3
linerateeq2.5.0
linerateeq2.5.1
linerateeq2.5.2
linerateeq2.5.3
linerateeq2.6.0

Name	Operator	Version
f5 websafe	eq	1.0.0
linerate	eq	2.4.0
linerate	eq	2.4.1
linerate	eq	2.4.2
linerate	eq	2.4.3
linerate	eq	2.5.0
linerate	eq	2.5.1
linerate	eq	2.5.2
linerate	eq	2.5.3
linerate	eq	2.6.0