Vulnerability Details : CVE-2017-9098
ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.
Exploit prediction scoring system (EPSS) score for CVE-2017-9098
Probability of exploitation activity in the next 30 days: 0.26%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 63 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-9098
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-9098
-
The product uses or accesses a resource that has not been initialized.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-9098
-
http://hg.code.sf.net/p/graphicsmagick/code/diff/0a5b75e019b6/coders/rle.c
Mercurial Repository: p/graphicsmagick/code: diff coders/rle.cPatch;Third Party Advisory
-
https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html
Security: *bleed continues: 18 byte file, $14k bounty, for leaking private Yahoo! Mail imagesExploit;Technical Description;Third Party Advisory
-
http://www.debian.org/security/2017/dsa-3863
Debian -- Security Information -- DSA-3863-1 imagemagickThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html
[SECURITY] [DLA 1456-1] graphicsmagick security updateMailing List;Third Party Advisory
-
https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b
Reset memory for RLE decoder (patch provided by scarybeasts) · ImageMagick/ImageMagick@1c358ff · GitHubPatch;Third Party Advisory
-
http://www.securityfocus.com/bid/98593
ImageMagick CVE-2017-9098 Local Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
Products affected by CVE-2017-9098
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
- cpe:2.3:a:graphicsmagick:graphicsmagick:*:*:*:*:*:*:*:*