CVE-2018-16645 : There is an excessive memory allocation issue in the functions ReadBMPImage of coders/bmp.c and ReadDIBImage of coders/d

There is an excessive memory allocation issue in the functions ReadBMPImage of coders/bmp.c and ReadDIBImage of coders/dib.c in ImageMagick 7.0.8-11, which allows remote attackers to cause a denial of service via a crafted image file.

Published 2018-09-06 22:29:01

Updated 2019-10-03 00:03:26

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Exploit prediction scoring system (EPSS) score for CVE-2018-16645

Probability of exploitation activity in the next 30 days: 1.55%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2018-16645

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
6.5	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2018-16645

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-16645

https://usn.ubuntu.com/4034-1/

USN-4034-1: ImageMagick vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://www.debian.org/security/2018/dsa-4316

Debian -- Security Information -- DSA-4316-1 imagemagick
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2018/10/msg00002.html

[SECURITY] [DLA 1530-1] imagemagick security update
Third Party Advisory

CVEs referencing this url
https://github.com/ImageMagick/ImageMagick/commit/ecb31dbad39ccdc65868d5d2a37f0f0521250832

https://github.com/ImageMagick/ImageMagick/issues/1268 · ImageMagick/ImageMagick@ecb31db · GitHub
Patch;Third Party Advisory
https://usn.ubuntu.com/3785-1/

USN-3785-1: ImageMagick vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
https://github.com/ImageMagick/ImageMagick/issues/1268

Potential Out-of-memory in function ReadBMPImage of coders/bmp.c and ReadDIBImage of codes/dib.c. · Issue #1268 · ImageMagick/ImageMagick · GitHub
Issue Tracking;Patch;Third Party Advisory

Products affected by CVE-2018-16645

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Imagemagick » Imagemagick » Version: 7.0.8-11
cpe:2.3:a:imagemagick:imagemagick:7.0.8-11:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions

Vulnerability Details : CVE-2018-16645

Exploit prediction scoring system (EPSS) score for CVE-2018-16645

CVSS scores for CVE-2018-16645

CWE ids for CVE-2018-16645

References for CVE-2018-16645

Products affected by CVE-2018-16645