Lucene search

TalosCVE-2016-8707

HistoryDec 23, 2016 - 10:59 p.m.

CVE-2016-8707

2016-12-2322:59:00

CWE-787

talos

web.nvd.nist.gov

cve

2016

8707

imagemagick

tiff

out of bounds write

remote code execution

vulnerability

nvd

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.011

Percentile

84.3%

JSON

An exploitable out of bounds write exists in the handling of compressed TIFF images in ImageMagicks’s convert utility. A crafted TIFF document can lead to an out of bounds write which in particular circumstances could be leveraged into remote code execution. The vulnerability can be triggered through any user controlled TIFF that is handled by this functionality.

Affected configurations

Nvd

Node

imagemagickimagemagickMatch7.0.3-1

Node

debiandebian_linuxMatch8.0

VendorProductVersionCPE
imagemagickimagemagick7.0.3-1cpe:2.3:a:imagemagick:imagemagick:7.0.3-1:*:*:*:*:*:*:*
debiandebian_linux8.0cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
imagemagick	imagemagick	7.0.3-1	cpe:2.3:a:imagemagick:imagemagick:7.0.3-1:::::::*
debian	debian_linux	8.0	cpe:2.3:o:debian:debian_linux:8.0:::::::*

CNA Affected

[
  {
    "product": "ImageMagick 7.0.3-1",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "ImageMagick 7.0.3-1"
      }
    ]
  }
]