8.8 - CVE-2014-2030

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Informations
Name	CVE-2014-2030	First vendor Publication	2020-02-06
Vendor	Cve	Last vendor Modification	2020-02-11

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Overall CVSS Score	8.8
Base Score	8.8	Environmental Score	8.8
impact SubScore	5.9	Temporal Score	8.8
Exploitabality Sub Score	2.8

Attack Vector	Network	Attack Complexity	Low
Privileges Required	None	User Interaction	Required
Scope	Unchanged	Confidentiality Impact	High
Integrity Impact	High	Availability Impact	High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score	6.8	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6.8.8-5, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-1947.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2030

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-787	Out-of-bounds Write (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:23562

Oval ID:	oval:org.mitre.oval:def:23562
Title:	USN-2132-1 -- imagemagick vulnerabilities
Description:	ImageMagick could be made to crash or run programs if it opened a specially crafted image file.
Family:	unix	Class:	patch
Reference(s):	USN-2132-1 CVE-2012-0260 CVE-2014-1958 CVE-2014-2030	Version:	5
Platform(s):	Ubuntu 13.10 Ubuntu 12.10 Ubuntu 12.04	Product(s):	imagemagick
Definition Synopsis:
Ubuntu 13.10 release section Ubuntu 13.10 is installed Packages match section libmagick++5 DPKG is earlier than 8:6.7.7.10-5ubuntu3.1 AND libmagickcore5 DPKG is earlier than 8:6.7.7.10-5ubuntu3.1 AND Ubuntu 12.10 release section Ubuntu 12.10 is installed Packages match section libmagick++5 DPKG is earlier than 8:6.7.7.10-2ubuntu4.2 AND libmagickcore5 DPKG is earlier than 8:6.7.7.10-2ubuntu4.2 AND Ubuntu 12.04 release section Ubuntu 12.04 is installed Packages match section libmagick++4 DPKG is earlier than 8:6.6.9.7-5ubuntu3.3 AND libmagickcore4 DPKG is earlier than 8:6.6.9.7-5ubuntu3.3

Definition Id: oval:org.mitre.oval:def:23905

Oval ID:	oval:org.mitre.oval:def:23905
Title:	DSA-2898-1 imagemagick - security update
Description:	Several buffer overflows were found in Imagemagick, a suite of image manipulation programs. Processing malformed PSD files could lead to the execution of arbitrary code.
Family:	unix	Class:	patch
Reference(s):	DSA-2898-1 CVE-2014-1947 CVE-2014-1958 CVE-2014-2030	Version:	5
Platform(s):	Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7	Product(s):	imagemagick
Definition Synopsis:
Debian 6.0 release section Debian 6.0 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND imagemagick DPKG is earlier than 8:6.6.0.4-3+squeeze4 AND Debian 7.x release section Debian 7 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND imagemagick DPKG is earlier than 8:6.7.7.10-5+deb7u3

CPE : Common Platform Enumeration

Type	Description	Count
Application	Imagemagick cpe:2.3:a:imagemagick:imagemagick:6.8.8-5:::::::*	1
Os	Canonical Ubuntu Linux cpe:2.3:o:canonical:ubuntu_linux:13.10:::::::* cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::* cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts:::	3
Os	Opensuse cpe:2.3:o:opensuse:opensuse:13.1:::::::* cpe:2.3:o:opensuse:opensuse:12.3:::::::* cpe:2.3:o:opensuse:opensuse:11.4:::::::*	3

Nessus® Vulnerability Scanner

Date	Description
2015-03-30	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-105.nasl - Type : ACT_GATHER_INFO
2015-01-19	Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_imagemagick_20140731.nasl - Type : ACT_GATHER_INFO
2014-10-12	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-336.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-206.nasl - Type : ACT_GATHER_INFO
2014-05-19	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201405-09.nasl - Type : ACT_GATHER_INFO
2014-04-16	Name : The remote Fedora host is missing a security update. File : fedora_2014-4969.nasl - Type : ACT_GATHER_INFO
2014-04-10	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2898.nasl - Type : ACT_GATHER_INFO
2014-03-07	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2132-1.nasl - Type : ACT_GATHER_INFO
2014-02-27	Name : The remote Windows host contains an application that is affected by a multipl... File : imagemagick_6_8_8_5.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source	Url
CONFIRM	http://lists.opensuse.org/opensuse-updates/2014-03/msg00032.html http://lists.opensuse.org/opensuse-updates/2014-03/msg00039.html http://ubuntu.com/usn/usn-2132-1 https://web.archive.org/web/20090120112751/http://trac.imagemagick.org/change...
MISC	http://www.openwall.com/lists/oss-security/2014/02/12/2 http://www.openwall.com/lists/oss-security/2014/02/13/5 http://www.openwall.com/lists/oss-security/2014/02/19/13 https://bugzilla.redhat.com/show_bug.cgi?id=1064098

Alert History

If you want to see full details history, please login or register.

Date	Informations
2021-05-04 12:31:51	Multiple Updates
2021-04-22 01:38:50	Multiple Updates
2020-05-23 00:40:22	First insertion

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	2
CPE ID(s)	7
Sources(s)	8
Nessus® Exploit(s)	9

	Related
5	USN-2132-1
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)