CVE-2017-14650
Severity Score
8.1
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A Remote Code Execution vulnerability has been found in the Horde_Image library when using the "Im" backend that utilizes ImageMagick's "convert" utility. It's not exploitable through any Horde application, because the code path to the vulnerability is not used by any Horde code. Custom applications using the Horde_Image library might be affected. This vulnerability affects all versions of Horde_Image from 2.0.0 to 2.5.1, and is fixed in 2.5.2. The problem is missing input validation of the index field in _raw() during construction of an ImageMagick command line.
Existe una vulnerabilidad de ejecución remota de código en la librería Horde_Image cuando se utiliza el backend "Im" que emplea la utilidad de ImageMagick "convert". No se puede explotar con ninguna aplicación de Horde porque la ruta del código a la vulnerabilidad no se utiliza en ningún código de Horde. Las aplicaciones personalizadas que utilicen la librería Horde_Image podrían verse afectadas. Esta vulnerabilidad afecta a todas las versiones de Horde_Image desde la versión 2.0.0 hasta la 2.5.1 y se corrige en la 2.5.2. El problema se debe a la ausencia de mecanismos de validación de entrada del campo index en _raw() durante la construcción de una línea de comandos de ImageMagick.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-09-21 CVE Reserved
- 2017-09-21 CVE Published
- 2023-08-01 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2017/09/21/4 | Mailing List |
|
| https://marc.info/?l=horde-announce&m=150600299528079&w=2 | Mailing List |
| URL | Date | SRC |
|---|---|---|
| https://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.debian.org/security/2018/dsa-4276 | 2018-08-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.0.0 Search vendor "Horde" for product "Horde Image Api" and version "2.0.0" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.0.0 Search vendor "Horde" for product "Horde Image Api" and version "2.0.0" | alpha1 |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.0.0 Search vendor "Horde" for product "Horde Image Api" and version "2.0.0" | beta1 |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.0.0 Search vendor "Horde" for product "Horde Image Api" and version "2.0.0" | beta2 |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.0.1 Search vendor "Horde" for product "Horde Image Api" and version "2.0.1" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.0.2 Search vendor "Horde" for product "Horde Image Api" and version "2.0.2" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.0.3 Search vendor "Horde" for product "Horde Image Api" and version "2.0.3" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.0.4 Search vendor "Horde" for product "Horde Image Api" and version "2.0.4" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.0.5 Search vendor "Horde" for product "Horde Image Api" and version "2.0.5" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.0.6 Search vendor "Horde" for product "Horde Image Api" and version "2.0.6" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.0.7 Search vendor "Horde" for product "Horde Image Api" and version "2.0.7" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.0.8 Search vendor "Horde" for product "Horde Image Api" and version "2.0.8" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.0.9 Search vendor "Horde" for product "Horde Image Api" and version "2.0.9" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.1.0 Search vendor "Horde" for product "Horde Image Api" and version "2.1.0" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.2.0 Search vendor "Horde" for product "Horde Image Api" and version "2.2.0" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.3.0 Search vendor "Horde" for product "Horde Image Api" and version "2.3.0" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.3.1 Search vendor "Horde" for product "Horde Image Api" and version "2.3.1" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.3.2 Search vendor "Horde" for product "Horde Image Api" and version "2.3.2" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.3.3 Search vendor "Horde" for product "Horde Image Api" and version "2.3.3" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.3.4 Search vendor "Horde" for product "Horde Image Api" and version "2.3.4" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.3.5 Search vendor "Horde" for product "Horde Image Api" and version "2.3.5" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.3.6 Search vendor "Horde" for product "Horde Image Api" and version "2.3.6" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.4.0 Search vendor "Horde" for product "Horde Image Api" and version "2.4.0" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.4.1 Search vendor "Horde" for product "Horde Image Api" and version "2.4.1" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.5.0 Search vendor "Horde" for product "Horde Image Api" and version "2.5.0" | - |
Affected
| ||||||
| Horde Search vendor "Horde" | Horde Image Api Search vendor "Horde" for product "Horde Image Api" | 2.5.1 Search vendor "Horde" for product "Horde Image Api" and version "2.5.1" | - |
Affected
| ||||||