CVE-2016-5239
published 2017-03-15CVE-2016-5239: The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote attackers to execute arbitrary commands via unspecified…
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.16%
86.4th percentile
The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote attackers to execute arbitrary commands via unspecified vectors.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | graphicsmagick | < graphicsmagick 1.3.24-1 (bookworm) | graphicsmagick 1.3.24-1 (bookworm) |
| debian | imagemagick | < graphicsmagick 1.3.24-1 (bookworm) | graphicsmagick 1.3.24-1 (bookworm) |
| graphicsmagick | graphicsmagick | >= 0 < 1.3.24-1 | 1.3.24-1 |
| graphicsmagick | graphicsmagick | >= 0 < 1.3.24-1 | 1.3.24-1 |
| graphicsmagick | graphicsmagick | >= 0 < 1.3.24-1 | 1.3.24-1 |
| graphicsmagick | graphicsmagick | >= 0 < 1.3.24-1 | 1.3.24-1 |
| imagemagick | imagemagick | <= 6.9.3-9 | — |
| imagemagick | imagemagick | >= 0 < 8:6.9.6.2+dfsg-2 | 8:6.9.6.2+dfsg-2 |
| imagemagick | imagemagick | >= 0 < 8:6.9.6.2+dfsg-2 | 8:6.9.6.2+dfsg-2 |
| imagemagick | imagemagick | >= 0 < 8:6.9.6.2+dfsg-2 | 8:6.9.6.2+dfsg-2 |
| imagemagick | imagemagick | >= 0 < 8:6.9.6.2+dfsg-2 | 8:6.9.6.2+dfsg-2 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered when ImageMagick processes a specially crafted gnuplot file and delegates it to the gnuplot binary; monitor for ImageMagick spawning gnuplot as a child process, especially when handling untrusted image input. ↗
- →A remote attacker delivers a specially crafted image file that ImageMagick identifies as a gnuplot file, triggering delegation to gnuplot and executing shell commands; inspect image files being processed for gnuplot file signatures/headers. ↗
- →If gnuplot is not installed or ImageMagick cannot launch it, the attack vector is blocked; audit systems for the presence of gnuplot alongside ImageMagick/GraphicsMagick as a risk indicator. ↗
- ·ImageMagick on RHEL5 is not affected because the gnuplot delegation is broken due to an unrelated issue, preventing ImageMagick from launching gnuplot correctly and thus blocking this attack vector. ↗
- ·Gnuplot files should never be processed when originating from untrusted sources, as they can inherently contain dangerous commands independent of this CVE. ↗
- ·The vulnerability affects ImageMagick versions before 6.9.4-0; GraphicsMagick is also affected (fixed in 1.3.24-1 per Debian tracker). ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v696-qhvw-8g5m: The gnuplot delegate functionality in ImageMagick before 6
ghsa_unreviewed·2022-05-14
CVE-2016-5239 [CRITICAL] CWE-284 GHSA-v696-qhvw-8g5m: The gnuplot delegate functionality in ImageMagick before 6
The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote attackers to execute arbitrary commands via unspecified vectors.
OSV
CVE-2016-5239: The gnuplot delegate functionality in ImageMagick before 6
osv·2017-03-15·CVSS 9.8
CVE-2016-5239 [CRITICAL] CVE-2016-5239: The gnuplot delegate functionality in ImageMagick before 6
The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote attackers to execute arbitrary commands via unspecified vectors.
Red Hat
ImageMagick,GraphicsMagick: Gnuplot delegate vulnerability allowing command injection
vendor_redhat·2016-05-08·CVSS 9.8
CVE-2016-5239 [CRITICAL] CWE-77 ImageMagick,GraphicsMagick: Gnuplot delegate vulnerability allowing command injection
ImageMagick,GraphicsMagick: Gnuplot delegate vulnerability allowing command injection
The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote attackers to execute arbitrary commands via unspecified vectors.
It was discovered that ImageMagick did not properly sanitize certain input before passing it to the gnuplot delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application.
Package: ImageMagick (Red Hat Enterprise Linux 5) - Not affected
Debian
CVE-2016-5239: graphicsmagick - The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMag...
vendor_debian·2016·CVSS 9.8
CVE-2016-5239 [CRITICAL] CVE-2016-5239: graphicsmagick - The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMag...
The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote attackers to execute arbitrary commands via unspecified vectors.
Scope: local
bookworm: resolved (fixed in 1.3.24-1)
bullseye: resolved (fixed in 1.3.24-1)
forky: resolved (fixed in 1.3.24-1)
sid: resolved (fixed in 1.3.24-1)
trixie: resolved (fixed in 1.3.24-1)
No detection rules found.
No public exploits indexed.
http://git.imagemagick.org/repos/ImageMagick/commit/70a2cf326ed32bedee144b961005c63846541a16http://www.openwall.com/lists/oss-security/2016/06/02/13http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.htmlhttp://www.securityfocus.com/bid/91018https://access.redhat.com/errata/RHSA-2016:1237https://lists.debian.org/debian-lts-announce/2018/08/msg00002.htmlhttp://git.imagemagick.org/repos/ImageMagick/commit/70a2cf326ed32bedee144b961005c63846541a16http://www.openwall.com/lists/oss-security/2016/06/02/13http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.htmlhttp://www.securityfocus.com/bid/91018https://access.redhat.com/errata/RHSA-2016:1237https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html
2017-03-15
Published