CVE-2016-3714 — imagemagick - security update

Description

The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."

How to fix CVE-2016-3714

To remediate CVE-2016-3714, upgrade the affected package to a fixed version below.

—upgrade to 1.3.24-1 or later
—upgrade to 8:6.9.6.2+dfsg-2 or later
—upgrade to 8:6.7.7.10-5+deb7u5 or later
—upgrade to 8:6.8.9.9-5+deb8u2 or later

Is CVE-2016-3714 being exploited?

Yes — CVE-2016-3714 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (4)

from 0, < 1.3.24-1
from 0, < 8:6.9.6.2+dfsg-2
from 0, < 8:6.7.7.10-5+deb7u5
from 0, < 8:6.8.9.9-5+deb8u2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.4	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-3714