Vulnerability Name:

CVE-2014-1947 (CCN-91342)

Assigned:2014-02-16
Published:2014-02-16
Updated:2020-02-21
Summary:Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick 6.5.4 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of layers in a PSD image, involving the L%02ld string, a different vulnerability than CVE-2014-2030.
CVSS v3 Severity:7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.4 Medium (CCN CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)
3.4 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-787
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2014-1947

Source: CCN
Type: ImageMagick Web site
Introduction to ImageMagick

Source: MISC
Type: Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/02/12/13

Source: MISC
Type: Mailing List, Patch, Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/02/12/2

Source: MISC
Type: Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/02/13/2

Source: MISC
Type: Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/02/13/5

Source: MISC
Type: Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/02/19/13

Source: CCN
Type: BID-65683
ImageMagick PSD Image File Handling CVE-2014-1947 Remote Buffer Overflow Vulnerability

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1064098

Source: XF
Type: UNKNOWN
imagemagick-cve20141947-bo(91342)

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [02-16-2014]

Source: MISC
Type: Third Party Advisory
https://www.suse.com/support/update/announcement/2014/suse-su-20140359-1.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-1947

Vulnerable Configuration:Configuration 1:
  • cpe:/a:imagemagick:imagemagick:*:*:*:*:*:*:*:* (Version <= 6.5.4)

    • Configuration 2:
  • cpe:/o:suse:linux_enterprise_desktop:11:sp3:*:*:*:*:*:*
  • OR cpe:/o:opensuse:suse_linux_enterprise_server:11.0:sp3:*:*:*:*:*:*
  • OR cpe:/o:suse:linux_enterprise_server:11:sp3:*:*:*:vmware:*:*
  • OR cpe:/o:suse:linux_enterprise_software_development_kit:11:sp3:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:imagemagick:imagemagick:6.8.7-5:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20141947
    V
    		CVE-2014-1947
    2022-05-20
    oval:org.opensuse.security:def:26147
    P
    		Security update for MozillaFirefox (Important)
    2021-10-15
    oval:org.opensuse.security:def:26112
    P
    		Security update for sssd (Important)
    2021-08-30
    oval:org.opensuse.security:def:31650
    P
    		Security update for arpwatch (Important)
    2021-06-28
    oval:org.opensuse.security:def:31639
    P
    		Security update for freeradius-server (Moderate)
    2021-06-11
    oval:org.opensuse.security:def:31638
    P
    		Security update for caribou (Important)
    2021-06-10
    oval:org.opensuse.security:def:36359
    P
    		ImageMagick-6.4.3.6-7.30.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:42579
    P
    		libMagickCore1-32bit-6.4.3.6-7.30.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:36172
    P
    		libMagickCore1-32bit-6.4.3.6-7.30.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:26063
    P
    		Security update for dhcp (Important)
    2021-06-01
    oval:org.opensuse.security:def:32092
    P
    		Security update for the Linux Kernel (Important)
    2021-05-18
    oval:org.opensuse.security:def:26193
    P
    		Security update for bind (Important)
    2021-02-18
    oval:org.opensuse.security:def:31724
    P
    		Security update for python (Important)
    2021-02-11
    oval:org.opensuse.security:def:32248
    P
    		Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)
    2021-02-10
    oval:org.opensuse.security:def:33096
    P
    		Security update for MozillaFirefox (Important)
    2021-01-12
    oval:org.opensuse.security:def:25984
    P
    		Security update for cyrus-sasl (Important)
    2020-12-28
    oval:org.opensuse.security:def:32005
    P
    		Security update for xen (Important)
    2020-12-07
    oval:org.opensuse.security:def:31948
    P
    		Security update for gpg2 (Important)
    2020-12-01
    oval:org.opensuse.security:def:27135
    P
    		gmime on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25722
    P
    		Security update for ovmf (Low)
    2020-12-01
    oval:org.opensuse.security:def:32392
    P
    		Security update for tomcat6 (Important)
    2020-12-01
    oval:org.opensuse.security:def:26538
    P
    		e2fsprogs on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31856
    P
    		Security update for cups (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27357
    P
    		ImageMagick on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25920
    P
    		Security update for gstreamer-plugins-base (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26497
    P
    		Security update for tor (Important)
    2020-12-01
    oval:org.opensuse.security:def:25721
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:32353
    P
    		Security update for squid3 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26485
    P
    		Security update for singularity (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27322
    P
    		x3270 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25909
    P
    		Security update for flash-player (Important)
    2020-12-01
    oval:org.opensuse.security:def:26453
    P
    		Security update for kauth (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32304
    P
    		Security update for python (Important)
    2020-12-01
    oval:org.opensuse.security:def:26334
    P
    		Security update for Chromium (Important)
    2020-12-01
    oval:org.opensuse.security:def:26006
    P
    		Security update for mariadb (Important)
    2020-12-01
    oval:org.opensuse.security:def:33135
    P
    		libMagickCore1-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26684
    P
    		dbus-1-glib on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25908
    P
    		Security update for flash-player (Important)
    2020-12-01
    oval:org.opensuse.security:def:26439
    P
    		Security update for MozillaThunderbird (Important)
    2020-12-01
    oval:org.opensuse.security:def:26250
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:25925
    P
    		Security update for pcre (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26640
    P
    		sudo on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26400
    P
    		Security update for Chromium (Important)
    2020-12-01
    oval:org.opensuse.security:def:25797
    P
    		Security update for flash-player (Important)
    2020-12-01
    oval:org.opensuse.security:def:32458
    P
    		Security update for xorg-x11-libX11 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26626
    P
    		pam_mount on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26351
    P
    		Security update for mongodb (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27170
    P
    		libMagickCore1-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25733
    P
    		Security update for mgetty (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32414
    P
    		Security update for wireshark (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26587
    P
    		libgtop on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26298
    P
    		Security update for mariadb-100 (Moderate)
    2020-12-01
    oval:org.mitre.oval:def:24630
    P
    		SUSE-SU-2014:0359-1 -- Security update for ImageMagick
    2014-09-08
    oval:org.mitre.oval:def:23905
    P
    		DSA-2898-1 imagemagick - security update
    2014-07-21
    oval:com.ubuntu.precise:def:20141947000
    V
    		CVE-2014-1947 on Ubuntu 12.04 LTS (precise) - medium.
    2014-02-21
    BACK
    imagemagick imagemagick *
    suse linux enterprise desktop 11 sp3
    suse linux enterprise server 11 sp3
    suse linux enterprise server 11 sp3
    suse linux enterprise software development kit 11 sp3
    imagemagick imagemagick 6.8.7-5