CVE-2017-17499

high-risk
Published 2017-12-11

ImageMagick before 6.9.9-24 and 7.x before 7.0.7-12 has a use-after-free in Magick::Image::read in Magick++/lib/Image.cpp.

Do I need to act?

~
2.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (6)

Affected Vendors

Canonical Imagemagick Debian

References (12)

Third Party Advisory http://www.securityfocus.com/bid/102155
Patch https://github.com/ImageMagick/ImageMagick/commit/8c35502217c1879cb8257c61700728...
Third Party Advisory https://github.com/ImageMagick/ImageMagick/commit/dd96d671e4d5ae22c6894c302e8996...
Third Party Advisory https://usn.ubuntu.com/3681-1/
Third Party Advisory https://www.debian.org/security/2017/dsa-4074
Patch https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=33078&sid=5fbb1...
Third Party Advisory http://www.securityfocus.com/bid/102155
Patch https://github.com/ImageMagick/ImageMagick/commit/8c35502217c1879cb8257c61700728...
Third Party Advisory https://github.com/ImageMagick/ImageMagick/commit/dd96d671e4d5ae22c6894c302e8996...
Third Party Advisory https://usn.ubuntu.com/3681-1/
Third Party Advisory https://www.debian.org/security/2017/dsa-4074
Patch https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=33078&sid=5fbb1...
50
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 5/34 · Minimal
Exposure 13/34 · Low