CVE-2017-15277

moderate-risk
Published 2017-10-12

ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting data, this data sometimes can be leaked via the uninitialized palette.

Do I need to act?

!
59.3% chance of exploitation in next 30 days
EPSS score — higher than 41% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Imagemagick Graphicsmagick

References (18)

Issue Tracking https://github.com/ImageMagick/ImageMagick/commit/9fd10cf630832b36a588c1545d8736...
Issue Tracking https://github.com/ImageMagick/ImageMagick/issues/592
Exploit https://github.com/neex/gifoeb
https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html
https://usn.ubuntu.com/3681-1/
https://usn.ubuntu.com/4232-1/
https://www.debian.org/security/2017/dsa-4032
https://www.debian.org/security/2017/dsa-4040
https://www.debian.org/security/2018/dsa-4321
Issue Tracking https://github.com/ImageMagick/ImageMagick/commit/9fd10cf630832b36a588c1545d8736...
Issue Tracking https://github.com/ImageMagick/ImageMagick/issues/592
Exploit https://github.com/neex/gifoeb
https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html
https://usn.ubuntu.com/3681-1/
https://usn.ubuntu.com/4232-1/
https://www.debian.org/security/2017/dsa-4032
https://www.debian.org/security/2017/dsa-4040
https://www.debian.org/security/2018/dsa-4321
49
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 18/34 · Moderate
Exposure 7/34 · Low