CVE-2016-3718

CVE Published 2016-05-05
Related CWE(s) CWE-20: Improper Input Validation, CWE-918: Server-Side Request Forgery (SSRF)
Related Vendor(s) redhat, imagemagick, oracle, suse, canonical, opensuse
Related Product(s) enterprise_linux_server_eus, enterprise_linux_hpc_node, leap, opensuse, linux_enterprise_debuginfo, enterprise_linux_server_from_rhui, imagemagick, manager, openstack_cloud, enterprise_linux_for_power_big_endian_eus, linux, linux_enterprise_server, solaris, linux_enterprise_software_development_kit, enterprise_linux_desktop, linux_enterprise_workstation_extension, enterprise_linux_workstation, enterprise_linux_for_power_big_endian, enterprise_linux_eus, enterprise_linux_for_power_little_endian_eus, enterprise_linux_server_supplementary_eus, ubuntu_linux, enterprise_linux_hpc_node_eus, enterprise_linux_server_aus, enterprise_linux_for_ibm_z_systems, manager_proxy, enterprise_linux_for_power_little_endian, enterprise_linux_server, enterprise_linux_for_ibm_z_systems_eus, linux_enterprise_desktop, enterprise_linux_server_tus
Exploitation Reported (CISA KEV) 2021-11-03
CVSS 3 Base Score 5.5 (MEDIUM)
CVSS 3 Attack Complexity LOW
CVSS 3 Attack Vector LOCAL

The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image.

Cyber Threat Graph Context

Explore how this CVE relates to the wider threat graph

Associated CAPEC Patterns

References