cbcvebase.
CVE-2016-5239
published 2017-03-15

CVE-2016-5239: The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote attackers to execute arbitrary commands via unspecified…

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.16%
86.4th percentile
The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote attackers to execute arbitrary commands via unspecified vectors.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiangraphicsmagick< graphicsmagick 1.3.24-1 (bookworm)graphicsmagick 1.3.24-1 (bookworm)
debianimagemagick< graphicsmagick 1.3.24-1 (bookworm)graphicsmagick 1.3.24-1 (bookworm)
graphicsmagickgraphicsmagick>= 0 < 1.3.24-11.3.24-1
graphicsmagickgraphicsmagick>= 0 < 1.3.24-11.3.24-1
graphicsmagickgraphicsmagick>= 0 < 1.3.24-11.3.24-1
graphicsmagickgraphicsmagick>= 0 < 1.3.24-11.3.24-1
imagemagickimagemagick<= 6.9.3-9
imagemagickimagemagick>= 0 < 8:6.9.6.2+dfsg-28:6.9.6.2+dfsg-2
imagemagickimagemagick>= 0 < 8:6.9.6.2+dfsg-28:6.9.6.2+dfsg-2
imagemagickimagemagick>= 0 < 8:6.9.6.2+dfsg-28:6.9.6.2+dfsg-2
imagemagickimagemagick>= 0 < 8:6.9.6.2+dfsg-28:6.9.6.2+dfsg-2

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered when ImageMagick processes a specially crafted gnuplot file and delegates it to the gnuplot binary; monitor for ImageMagick spawning gnuplot as a child process, especially when handling untrusted image input.
  • A remote attacker delivers a specially crafted image file that ImageMagick identifies as a gnuplot file, triggering delegation to gnuplot and executing shell commands; inspect image files being processed for gnuplot file signatures/headers.
  • If gnuplot is not installed or ImageMagick cannot launch it, the attack vector is blocked; audit systems for the presence of gnuplot alongside ImageMagick/GraphicsMagick as a risk indicator.
  • ·ImageMagick on RHEL5 is not affected because the gnuplot delegation is broken due to an unrelated issue, preventing ImageMagick from launching gnuplot correctly and thus blocking this attack vector.
  • ·Gnuplot files should never be processed when originating from untrusted sources, as they can inherently contain dangerous commands independent of this CVE.
  • ·The vulnerability affects ImageMagick versions before 6.9.4-0; GraphicsMagick is also affected (fixed in 1.3.24-1 per Debian tracker).

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.