The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka โImageTragick.โ (CVE-2016-3714)
Impact
When exploited, this vulnerability may allow unauthorized disclosure of information, unauthorized modification and/or disruption of service. BIG-IP systems (AAM, WebAccelerator, and Edge Gateway) that use a WebAcceleration profile configured with the Image Optimization settings are vulnerable to this issue. BIG-IQ and Enterprise Manager systems are not vulnerable in their default configuration; however, the vulnerable code exists on these systems and can be made exploitable if themogrify binary is used to perform image optimization remotely.