CVE-2016-10068 : The MSL interpreter in ImageMagick before 6.9.6-4 allows remote attackers to cau

The MSL interpreter in ImageMagick before 6.9.6-4 allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted XML file.

Published 2017-03-02 21:59:00

Updated 2018-10-30 16:27:33

Source MITRE

View at NVD, CVE.org

Vulnerability category: Memory CorruptionInput validationDenial of service

Products affected by CVE-2016-10068

Imagemagick » Imagemagick
Versions up to, including, (<=) 6.9.6-3
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 42.2
cpe:2.3:o:opensuse:leap:42.2:*:*:*:*:*:*:*
Matching versions
Opensuse Project » Leap » Version: 42.1
cpe:2.3:o:opensuse_project:leap:42.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-10068

EPSS FAQ

0.37%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 56 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-10068

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.5	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2016-10068

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-10068

https://bugzilla.redhat.com/show_bug.cgi?id=1410500

1410500 – (CVE-2016-10068) CVE-2016-10068 ImageMagick: Segmentation fault in MSL interpreter
Issue Tracking;Patch;Third Party Advisory;VDB Entry
https://github.com/ImageMagick/ImageMagick/commit/56d6e20de489113617cbbddaf41e92600a34db22

Prevent fault in MSL interpreter · ImageMagick/ImageMagick@56d6e20 · GitHub
Patch;Third Party Advisory
http://www.securityfocus.com/bid/95219

ImageMagick CVE-2016-10068 Denial of Service Vulnerability
Third Party Advisory;VDB Entry
http://lists.opensuse.org/opensuse-updates/2017-02/msg00028.html

openSUSE-SU-2017:0391-1: moderate: Security update for GraphicsMagick
Third Party Advisory

CVEs referencing this url
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30797

ImageMagick - Information
Patch;Vendor Advisory
http://www.openwall.com/lists/oss-security/2016/12/26/9

oss-security - Re: CVE requests for various ImageMagick issues
Mailing List;Patch;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2017-02/msg00031.html

openSUSE-SU-2017:0399-1: moderate: Security update for GraphicsMagick
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-10068

Products affected by CVE-2016-10068

Exploit prediction scoring system (EPSS) score for CVE-2016-10068

CVSS scores for CVE-2016-10068

CWE ids for CVE-2016-10068

References for CVE-2016-10068