A vulnerability classified as critical has been found in ImageMagick 7.0.8-40 Q16 (Image Processing Software). This affects the function WritePNMImage of the file coders/pnm.c. The manipulation as part of a Image File leads to a out-of-bounds vulnerability. CWE is classifying the issue as CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c.

The bug was discovered 04/21/2019. The weakness was shared 04/29/2019 (Website). It is possible to read the advisory at securityfocus.com. This vulnerability is uniquely identified as CVE-2019-11598 since 04/29/2019. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit.

The vulnerability was handled as a non-public zero-day exploit for at least 8 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The entry VDB-134198 is related to this item.

Productinfo

Type

• Image Processing Software

Name

• ImageMagick

Version

• 7.0.8-40 Q16

License

• open-source

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion