ImageMagick does not properly validate user input before processing it using a delegate, which may lead to arbitrary code execution. This issue is also known as "ImageTragick".
CWE-20: Improper Input Validation - CVE-2016-3714
According to the researchers in a mailing list post:
An unauthenticated remote attacker that can upload crafted image files may be able to execute arbitrary code in the context of the user calling ImageMagick.
Apply an Update
Verify Files and Disable Vulnerable Filters
Red Hat, Inc.
Slackware Linux Inc.
The ImageTragick website credits Stewie and Nikolay Ermishkin of the Mail.Ru Security Team for discovering these vulnerabilities.
This document was written by Garret Wassermann.
|Date First Published:||2016-05-04|
|Date Last Updated:||2016-05-04 21:14 UTC|