Vulnerability Details : CVE-2018-16645
There is an excessive memory allocation issue in the functions ReadBMPImage of coders/bmp.c and ReadDIBImage of coders/dib.c in ImageMagick 7.0.8-11, which allows remote attackers to cause a denial of service via a crafted image file.
Vulnerability category: Denial of service
Exploit prediction scoring system (EPSS) score for CVE-2018-16645
Probability of exploitation activity in the next 30 days: 1.55%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2018-16645
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2018-16645
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-16645
-
https://usn.ubuntu.com/4034-1/
USN-4034-1: ImageMagick vulnerabilities | Ubuntu security notices
-
https://www.debian.org/security/2018/dsa-4316
Debian -- Security Information -- DSA-4316-1 imagemagickThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/10/msg00002.html
[SECURITY] [DLA 1530-1] imagemagick security updateThird Party Advisory
-
https://github.com/ImageMagick/ImageMagick/commit/ecb31dbad39ccdc65868d5d2a37f0f0521250832
https://github.com/ImageMagick/ImageMagick/issues/1268 · ImageMagick/ImageMagick@ecb31db · GitHubPatch;Third Party Advisory
-
https://usn.ubuntu.com/3785-1/
USN-3785-1: ImageMagick vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://github.com/ImageMagick/ImageMagick/issues/1268
Potential Out-of-memory in function ReadBMPImage of coders/bmp.c and ReadDIBImage of codes/dib.c. · Issue #1268 · ImageMagick/ImageMagick · GitHubIssue Tracking;Patch;Third Party Advisory
Products affected by CVE-2018-16645
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.8-11:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*