⚠ Actively exploited
Added to CISA KEV on 2024-09-09. Federal agencies required to patch by 2024-09-30. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2016-3714Improper Input Validation in Imagemagick

CWE-20Improper Input Validation21 documents14 sources
Severity
8.4HIGHNVD
EPSS
93.7%
top 0.15%
CISA KEV
KEV
Added 2024-09-09
Due 2024-09-30
Exploit
Exploited in wild
Active exploitation observed
Affected products
7
GraphicsmagickImagemagickCanonical Ubuntu Linux+4 more
Timeline
PublishedMay 5
KEV addedSep 9
KEV dueSep 30
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.5 | Impact: 5.9

Affected Packages7 packages

Debianimagemagick/imagemagick< 8:6.9.6.2+dfsg-2+3
Ubuntuimagemagick/imagemagick< 8:6.7.7.10-6ubuntu3.1+1
Debiangraphicsmagick/graphicsmagick< 1.3.24-1+3
NVDopensuse/leap42.1

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 12.04, 14.04, 15.10, 16.04

Patches

Patch: git.imagemagick.orgPatch: git.imagemagick.org

🔴Vulnerability Details

5
GHSA
GHSA-24cp-26gx-3pp4: The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 62022-05-14
OSV
imagemagick vulnerabilities2016-06-02
CVEList
CVE-2016-3714: The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 62016-05-05
OSV
CVE-2016-3714: The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 62016-05-05
VulnCheck
ImageMagick Improper Input Validation Vulnerability2016

💥Exploits & PoCs

2
Exploit-DB
ImageMagick 6.9.3-9 / 7.0.1-0 - 'ImageTragick' Delegate Arbitrary Command Execution (Metasploit)2016-05-09
Exploit-DB
ImageMagick 7.0.1-0 / 6.9.3-9 - 'ImageTragick ' Multiple Vulnerabilities2016-05-04

🔍Detection Rules

2
Suricata
ET WEB_SERVER ImageMagick CVE-2016-3714 Inbound (mvg)2016-05-04
Suricata
ET WEB_SERVER ImageMagick CVE-2016-3714 Inbound (svg)2016-05-04

📋Vendor Advisories

4
CISA
ImageMagick Improper Input Validation Vulnerability2024-09-09
Ubuntu
ImageMagick vulnerabilities2016-06-02
Red Hat
ImageMagick: Insufficient shell characters filtering2016-05-03
Debian
CVE-2016-3714: graphicsmagick - The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and...2016

💬Community

5
Bugzilla
CVE-2016-6320 satellite6: stored XSS while provisioning new host2016-08-10
Bugzilla
CVE-2016-5118 ImageMagick: Remote code execution via filename2016-05-30
Bugzilla
CVE-2016-3714 ImageMagick: Insufficient shell characters filtering2016-05-03
Bugzilla
CVE-2016-3714 ImageMagick: Insufficient shell characters filtering [fedora-all]2016-05-03
HackerOne
Insufficient shell characters filtering leads to (potentially remote) code execution (CVE-2016-3714)2016-05-03
CVE-2016-3714 — Improper Input Validation | cvebase