Home > Vulnerability Database > CVE-2017-14650

Mend.io Vulnerability Database

CVE-2017-14650

Date: September 21, 2017

A Remote Code Execution vulnerability has been found in the Horde_Image library when using the "Im" backend that utilizes ImageMagick's "convert" utility. It's not exploitable through any Horde application, because the code path to the vulnerability is not used by any Horde code. Custom applications using the Horde_Image library might be affected. This vulnerability affects all versions of Horde_Image from 2.0.0 to 2.5.1, and is fixed in 2.5.2. The problem is missing input validation of the index field in _raw() during construction of an ImageMagick command line.

Language: PHP

Severity Score

8.1

Related Resources (8)

Url: https://nvd.nist.gov/vuln/detail/CVE-2017-14650

Url: https://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b

Url: https://marc.info/?l=horde-announce&m=150600299528079&w=2

Url: http://www.openwall.com/lists/oss-security/2017/09/21/4

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14650

Url: https://www.debian.org/security/2018/dsa-4276

Url: https://security-tracker.debian.org/tracker/CVE-2017-14650

Url: https://www.mend.io/vulnerability-database/CVE-2017-14650

Severity Score

8.1

Weakness Type (CWE)

Improper Input Validation

CWE-20

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2017-14650

Date: September 21, 2017

Language: PHP

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?