The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbitrary code via a | (pipe) character at the start of a filename. (CVE-2016-5118)
Impact
A remote attacker may be able to execute arbitrary code on the BIG-IP system. BIG-IP AAM, WebAccelerator, and Edge Gateway systems that use a WebAcceleration profile configured with theImage Optimization settings are vulnerable to this issue. The use ofmogrifyin external monitors may also expose this issue. BIG-IQ and Enterprise Manager systems are not vulnerable in their default configuration; however, the vulnerable code exists on these systems and can be made exploitable if themogrify binary is used to perform image optimization remotely.
CPE | Name | Operator | Version |
---|---|---|---|
big-ip afm | eq | 11.4.0 | |
big-ip afm | eq | 11.4.1 | |
big-ip afm | eq | 11.5.0 | |
big-ip afm | eq | 11.5.1 | |
big-ip afm | eq | 11.5.2 | |
big-ip afm | eq | 11.5.3 | |
big-ip afm | eq | 11.5.4 | |
big-ip afm | eq | 11.6.0 | |
big-ip afm | eq | 11.6.1 | |
big-ip afm | eq | 12.0.0 |