A vulnerability was found in ImageMagick 7.0.8-13 (Image Processing Software). It has been declared as critical. This vulnerability affects the function SVGStripString of the file coders/svg.c of the component SVG Image File Handler. The manipulation with an unknown input leads to a out-of-bounds vulnerability. The CWE definition for the vulnerability is CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

In ImageMagick 7.0.8-13 Q16, there is a heap-based buffer over-read in the SVGStripString function of coders/svg.c, which allows attackers to cause a denial of service via a crafted SVG image file.

The bug was discovered 10/05/2018. The weakness was shared 10/07/2018 (Website). The advisory is available at github.com. This vulnerability was named CVE-2018-18023 since 10/07/2018. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. Technical details are known, but there is no available exploit.

The vulnerability was handled as a non-public zero-day exploit for at least 2 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The entries 124956 and 124955 are related to this item.

Productinfo

Type

• Image Processing Software

Name

• ImageMagick

Version

• 7.0.8-13

License

• open-source

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion