Vulnerability CVE-2014-9850


Published: 2017-03-20

Description:
Logic error in ImageMagick 6.8.9.9 allows remote attackers to cause a denial of service (resource consumption).

Type:

CWE-399

(Resource Management Errors)

Vendor: Imagemagick
Product: Imagemagick 
Version: 6.8.8-9;
Vendor: Opensuse project
Product: LEAP 
Version: 42.1;
Product: Opensuse 
Version: 13.2;
Product: Suse linux enterprise server 
Version: 12.0;
Product: Suse linux enterprise software development kit 
Version: 12.0;
Product: Suse linux enterprise desktop 
Version: 12.0;
Product: Suse linux enterprise workstation extension 
Version: 12.0;
Vendor: Canonical
Product: Ubuntu linux 
Version:
16.10
16.04
14.04
12.04
Vendor: Opensuse
Product: Opensuse 
Version: 13.2;

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00018.html
http://www.openwall.com/lists/oss-security/2016/06/02/13
http://www.ubuntu.com/usn/USN-3131-1
https://anonscm.debian.org/cgit/collab-maint/imagemagick.git/commit/?h=debian-patches/6.8.9.9-4-for-upstream&id=2257d1eadd02d89d225fce21013a1219d221dc7d
https://bugzilla.redhat.com/show_bug.cgi?id=1343510

Related CVE
CVE-2018-12467
Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689.
CVE-2018-12466
openSUSE openbuildservice before 9.2.4 allowed authenticated users to delete packages on specific projects with project links.
CVE-2016-9597
It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression C...
CVE-2011-4183
A vulnerability in open build service allows remote attackers to upload arbitrary RPM files. Affected releases are SUSE open build service prior to 2.1.16.
CVE-2011-4182
Missing escaping of ESSID values in sysconfig of SUSE Linux Enterprise allows attackers controlling an access point to cause execute arbitrary code. Affected releases are sysconfig prior to 0.83.7-2.1.
CVE-2011-4181
A vulnerability in open build service allows remote attackers to gain access to source files even though source access is disabled. Affected releases are SUSE open build service up to and including version 2.1.15 (for 2.1) and before version 2.3.
CVE-2014-5220
The mdcheck script of the mdadm package for openSUSE 13.2 prior to version 3.3.1-5.14.1 does not properly sanitize device names, which allows local attackers to execute arbitrary commands as root.
CVE-2014-0594
In the Open Build Service (OBS) before version 2.4.6 the CSRF protection is incorrectly disabled in the web interface, allowing for requests without the user's consent.

Copyright 2018, cxsecurity.com

 

Back to Top