CVE-2016-3718 vulnerability in Canonical and Other Products
Published on May 5, 2016

The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image.

Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This ImageMagick SSRF Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image.

The following remediation steps are recommended / required by May 3, 2022: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2016-3718 is exploitable with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Products Associated with CVE-2016-3718

You can be notified by stack.watch whenever vulnerabilities like CVE-2016-3718 are published in these products:

What versions are vulnerable to CVE-2016-3718?

Canonical Ubuntu Linux Version 12.04
Canonical Ubuntu Linux Version 16.04
Canonical Ubuntu Linux Version 15.10
Canonical Ubuntu Linux Version 14.04

ImageMagick Version 7.0.0-0
ImageMagick Up to Version 6.9.3-9
ImageMagick Version 7.0.1-0