CVE-2017-9098Use of Uninitialized Resource in Graphicsmagick

CWE-908Use of Uninitialized ResourceCWE-456Missing Initialization of a Variable9 documents8 sources
Severity
7.5HIGHNVD
EPSS
1.5%
top 19.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
GraphicsmagickImagemagickDebian Graphicsmagick+2 more
Timeline
PublishedMay 19
Latest updateMay 13

Description

ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

debiandebian/imagemagick< graphicsmagick 1.3.24-1 (bookworm)
NVDimagemagick/imagemagick7.0.0-07.0.5-2+1
Debianimagemagick/imagemagick< 8:6.9.7.4+dfsg-9+3
debiandebian/graphicsmagick< graphicsmagick 1.3.24-1 (bookworm)

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: hg.code.sf.netPatch: github.comPatch: hg.code.sf.net

🔴Vulnerability Details

2
GHSA
GHSA-3j7x-gh3j-ghqj: ImageMagick before 72022-05-13
OSV
CVE-2017-9098: ImageMagick before 72017-05-19

💥Exploits & PoCs

1
Exploit-DB
Red-Gate SQL Monitor < 3.10 / 4.2 - Authentication Bypass2017-08-10

📋Vendor Advisories

3
Ubuntu
ImageMagick vulnerabilities2017-05-30
Red Hat
ImageMagick: use of uninitialized memory in RLE decoder2017-05-18
Debian
CVE-2017-9098: graphicsmagick - ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized me...2017

💬Community

2
Bugzilla
CVE-2017-9098 ImageMagick: use of uninitialized memory in RLE decoder2017-05-22
Bugzilla
CVE-2017-9098 ImageMagick: use of uninitialized memory in RLE decoder [fedora-all]2017-05-22