K61974123 : ImageMagick vulnerability CVE-2016-3718

2016-05-1300:00:00

my.f5.com

6.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

6.9 Medium

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.929 High

EPSS

Percentile

98.8%

JSON

Security Advisory Description

The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image. (CVE-2016-3718)
Note: This vulnerability is one of the series of vulnerabilities known as ImageTragick.
Impact
This vulnerability may allow exploit codes to make arbitrary HTTP/FTP requests. BIG-IP systems that use a WebAcceleration profile configured with the Image Optimizationsettings (AAM, WebAccelerator, and Gateway) are vulnerable to this issue. BIG-IQ and Enterprise Manager systems are not vulnerable in their default configuration; however, the vulnerable code exists on these systems and can be made exploitable if the mogrifybinary is used to perform image optimization remotely.

CPENameOperatorVersion
f5 websafeeq1.0.0
linerateeq2.4.0
linerateeq2.4.1
linerateeq2.4.2
linerateeq2.4.3
linerateeq2.5.0
linerateeq2.5.1
linerateeq2.5.2
linerateeq2.5.3
linerateeq2.6.0

Name	Operator	Version
f5 websafe	eq	1.0.0
linerate	eq	2.4.0
linerate	eq	2.4.1
linerate	eq	2.4.2
linerate	eq	2.4.3
linerate	eq	2.5.0
linerate	eq	2.5.1
linerate	eq	2.5.2
linerate	eq	2.5.3
linerate	eq	2.6.0