Vulnerability Details : CVE-2016-5691
Potential exploit
The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact by leveraging lack of validation of (1) pixel.red, (2) pixel.green, and (3) pixel.blue.
Products affected by CVE-2016-5691
- cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-3:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-4:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-5:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-6:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-1:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.1-2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-5691
2.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-5691
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2016-5691
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-5691
-
https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG%2C-DDS%2C-DCM.html
Various invalid memory accesses in ImageMagick (WPG, DDS, DCM) | The Fuzzing Project
-
http://www.openwall.com/lists/oss-security/2016/06/17/3
oss-security - Re: Various invalid memory reads in ImageMagick (WPG, DDS, DCM)Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2016/06/14/5
oss-security - Various invalid memory reads in ImageMagick (WPG, DDS, DCM)Third Party Advisory
-
https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html
Various invalid memory accesses in ImageMagick (WPG, DDS, DCM) | The Fuzzing ProjectThird Party Advisory
-
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
Oracle Solaris Bulletin - July 2016Third Party Advisory
-
https://github.com/ImageMagick/ImageMagick/blob/6.9.4-5/ChangeLog
Page not found · GitHub · GitHubRelease Notes;Vendor Advisory
-
https://github.com/ImageMagick/ImageMagick/blob/7.0.1-7/ChangeLog
ImageMagick/ChangeLog at 7.0.1-7 · ImageMagick/ImageMagick · GitHubRelease Notes;Vendor Advisory
-
https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d
Add additional checks to DCM reader to prevent data-driven faults (bu… · ImageMagick/ImageMagick@5511ef5 · GitHubExploit;Vendor Advisory
-
http://www.securityfocus.com/bid/91283
ImageMagick Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
Jump to