CVE-2018-9018 : In GraphicsMagick 1.3.28, there is a divide-by-zero in the ReadMNGImage function

In GraphicsMagick 1.3.28, there is a divide-by-zero in the ReadMNGImage function of coders/png.c. Remote attackers could leverage this vulnerability to cause a crash and denial of service via a crafted mng file.

Published 2018-03-25 21:29:00

Updated 2020-01-12 03:15:11

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2018-9018

Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Graphicsmagick » Graphicsmagick » Version: 1.3.28
cpe:2.3:a:graphicsmagick:graphicsmagick:1.3.28:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-9018

EPSS FAQ

0.41%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 59 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-9018

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
6.5	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2018-9018

CWE-369 Divide By Zero

The product divides a value by zero.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-9018

https://lists.debian.org/debian-lts-announce/2018/03/msg00025.html

[SECURITY] [DLA 1322-1] graphicsmagick security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html

[SECURITY] [DLA 1456-1] graphicsmagick security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3IYH7QSNXXOIDFTYLY455ANZ3JWQ7FCS/

[SECURITY] Fedora 30 Update: GraphicsMagick-1.3.34-1.fc30 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
http://www.securityfocus.com/bid/103526

GraphicsMagick CVE-2018-9018 Denial of Service Vulnerability
Third Party Advisory;VDB Entry
https://www.debian.org/security/2018/dsa-4321

Debian -- Security Information -- DSA-4321-1 graphicsmagick
Third Party Advisory

CVEs referencing this url
https://sourceforge.net/p/graphicsmagick/bugs/554/

GraphicsMagick / Bugs / #554 Divide-by-zero in ReadMNGImage (coders/png.c)
Exploit;Issue Tracking;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FS76VNCFL3FVRMGXQEMHBOKA7EE46BTS/

[SECURITY] Fedora 31 Update: GraphicsMagick-1.3.34-1.fc31 - package-announce - Fedora Mailing-Lists

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2018-9018

Products affected by CVE-2018-9018

Exploit prediction scoring system (EPSS) score for CVE-2018-9018

CVSS scores for CVE-2018-9018

CWE ids for CVE-2018-9018

References for CVE-2018-9018