Follow @discotekdotca
CVE-2017-17682
Current Description
In ImageMagick 7.0.7-12 Q16, a large loop vulnerability was found in the function ExtractPostscript in coders/wpg.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted wpg image file that triggers a ReadWPGImage call.
Basic Data
| Published | December 14, 2017 |
|---|---|
| Last Modified | May 14, 2019 |
| Assigner | cve@mitre.org |
| Data Type | CVE |
| Data Format | MITRE |
| Data Version | 4.0 |
| Problem Type | CWE-400 |
| CVE Data Version | 4.0 |
Base Metric V2
| CVSS 2 - Version | 2.0 |
|---|---|
| CVSS 2 - Vector String | AV:N/AC:M/Au:N/C:N/I:N/A:C |
| CVSS 2 - Access Vector | NETWORK |
| CVSS 2 - Access Complexity | MEDIUM |
| CVSS 2 - Authentication | NONE |
| CVSS 2 - Confidentiality Impact | NONE |
| CVSS 2 - Availability Impact | COMPLETE |
| CVSS 2 - Base Score | 7.1 |
| Severity | HIGH |
| Exploitability Score | 8.6 |
| Impact Score | 6.9 |
| Obtain All Privilege | false |
| Obtain User Privilege | false |
| Obtain Other Privilege | false |
Base Metric V3
| CVSS 3 - Version | 3.0 |
|---|---|
| CVSS 3 - Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
| CVSS 3 - Attack Vector | NETWORK |
| CVSS 3 - Attack Complexity | LOW |
| CVSS 3 - Privileges Required | NONE |
| CVSS 3 - User Interaction | REQUIRED |
| CVSS 3 - Scope | UNCHANGED |
| CVSS 3 - Confidentiality Impact | NONE |
| CVSS 3 - Integrity Impact | NONE |
| CVSS 3 - Availability Impact | HIGH |
| CVSS 3 - Base Score | 6.5 |
| CVSS 3 - Base Severity | MEDIUM |
| Exploitability Score | 2.8 |
| Base Severity | MEDIUM |
Configurations
-
OR - Configuration 1
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application Imagemagick Imagemagick 7.0.7-12 q16 * * * * * * � � � � -
OR - Configuration 2
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 OS Canonical Ubuntu Linux 14.04 * * * lts * * * � � � � 2.3 OS Canonical Ubuntu Linux 16.04 * * * lts * * * � � � � 2.3 OS Canonical Ubuntu Linux 17.10 * * * * * * * � � � � 2.3 OS Canonical Ubuntu Linux 18.04 * * * lts * * * � � � � 2.3 OS Debian Debian Linux 7.0 * * * * * * * � � � �
Vulnerable Software List
| Vendor | Product | Versions |
|---|---|---|
| Imagemagick | Imagemagick | 7.0.7-12 |
| Debian | Debian Linux | 7.0 |
| Canonical | Ubuntu Linux | 14.04, 16.04, 17.10, 18.04 |
References
| Name | Source | URL | Tags |
|---|---|---|---|
| 102202 | http://www.securityfocus.com/bid/102202 | BID | Third Party Advisory VDB Entry |
| https://github.com/ImageMagick/ImageMagick/issues/870 | https://github.com/ImageMagick/ImageMagick/issues/870 | CONFIRM | Exploit Third Party Advisory |
| [debian-lts-announce] 20180101 [SECURITY] [DLA 1227-1] imagemagick security update | https://lists.debian.org/debian-lts-announce/2018/01/msg00000.html | MLIST | Mailing List Third Party Advisory |
| [debian-lts-announce] 20190514 [SECURITY] [DLA 1785-1] imagemagick security update | https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html | MLIST | |
| USN-3681-1 | https://usn.ubuntu.com/3681-1/ | UBUNTU | Third Party Advisory |