8.4 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.6%
Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered
several vulnerabilities in ImageMagick, a program suite for image
manipulation. These vulnerabilities, collectively known as ImageTragick,
are the consequence of lack of sanitization of untrusted input. An
attacker with control on the image input could, with the privileges of
the user running the application, execute code
(CVE-2016-3714), make HTTP
GET or FTP requests (CVE-2016-3718),
or delete (CVE-2016-3715), move
(CVE-2016-3716), or read
(CVE-2016-3717) local files.
These vulnerabilities are particularly critical if Imagemagick processes
images coming from remote parties, such as part of a web service.
The update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and
PLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In
addition, we introduce extra preventions, including some sanitization for
input filenames in http/https delegates, the full remotion of PLT/Gnuplot
decoder, and the need of explicit reference in the filename for the
insecure coders.
For the stable distribution (jessie), these problems have been fixed in
version 8:6.8.9.9-5+deb8u2.
We recommend that you upgrade your imagemagick packages.
CPE | Name | Operator | Version |
---|---|---|---|
imagemagick | eq | 8:6.8.9.9-5 | |
imagemagick | eq | 8:6.8.9.9-5+deb8u1 |
8.4 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.6%