Detections
Analytics

ImageMagick < 7.0.8-56 Multiple vulnerabilities

high Nessus Plugin ID 127051

Language:

Synopsis

An application installed on the remote Windows host is affected by multiple vulnerabilities

Description

The version of ImageMagick installed on the remote Windows host is prior to 7.0.8-56. It is, therefore, affected by multiple vulnerabilities:

 - An integer overflow condition exists in the TIFFSeekCustomStream function. An unauthenticated, remote attacker can exploit this, by convincing a user to open a crafted image file, to cause a denial of service condition or the execution of arbitrary code (CVE-2019-13136).
 - A stack-based buffer overflow condition exists in the WritePNMImage function due to an off-by-one error. An unauthenticated,remote attacker can exploit this, by convincing a user to open a crafted image file, to cause a denial of service condition or the execution of arbitrary code (CVE-2019-13306).

 - A heap-based buffer overflow condition exists in the EvaluateImages function due to a mishandling of rows. An unauthenticated, remote attacker can exploit this, by convincing a user to open a crafted image file, to cause a denial of service condition or the execution of arbitrary code (CVE-2019-13307).

Note that the application may also be affected by additional vulnerabilities. Refer to the vendor for additional information.

Solution

Upgrade to ImageMagick version 7.0.8-56 or later. Note that you may also need to manually uninstall the vulnerable version from the system.

See Also

http://www.nessus.org/u?d6a6a267

Plugin Details

Severity: High

ID: 127051

File Name: imagemagick_7_0_8-56.nasl

Version: 1.4

Type: local

Agent: windows

Family: Windows

Published: 7/26/2019

Updated: 7/31/2020

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-13308

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:imagemagick:imagemagick

Required KB Items: installed_sw/ImageMagick

Exploit Ease: No known exploits are available

Patch Publication Date: 6/29/2019

Vulnerability Publication Date: 6/29/2019

Reference Information

CVE: CVE-2019-13133, CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-2019-13295, CVE-2019-13296, CVE-2019-13297, CVE-2019-13298, CVE-2019-13299, CVE-2019-13300, CVE-2019-13301, CVE-2019-13302, CVE-2019-13303, CVE-2019-13304, CVE-2019-13305, CVE-2019-13306, CVE-2019-13307, CVE-2019-13308, CVE-2019-13309, CVE-2019-13310, CVE-2019-13311, CVE-2019-13454

BID: 109099, 109308, 109362

IAVB: 2019-B-0062-S