CVE-2017-14650

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-14650
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14650.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-14650
Downstream
Published
2017-09-21T17:29:00.590Z
Modified
2026-02-05T01:34:07.481526Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A Remote Code Execution vulnerability has been found in the HordeImage library when using the "Im" backend that utilizes ImageMagick's "convert" utility. It's not exploitable through any Horde application, because the code path to the vulnerability is not used by any Horde code. Custom applications using the HordeImage library might be affected. This vulnerability affects all versions of Horde_Image from 2.0.0 to 2.5.1, and is fixed in 2.5.2. The problem is missing input validation of the index field in _raw() during construction of an ImageMagick command line.

References

Affected packages

Git / github.com/horde/image

Affected ranges

Type
GIT
Repo
https://github.com/horde/image
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
0540a42c75537d2f17b93bd94567e792e395638f
Last affected
14f5fefec78a176ccbaa4b08bcb0cdb951ab0155
Last affected
1f191a196aa98c9fd77828f89ab41e0fda94f3af
Last affected
4fde53e3d477389168a53adfb3cdbd5b6e2ce00f
Last affected
75eae6b5645d3c8aafc486434d9f63758dfa82c0
Last affected
7950460b6b98ff288d1cf391a228d21f762cecaa
Last affected
7f85046c1413be7ebf89b93741e08d21964f4de8
Last affected
85627628b2a0d53004535a4661c73e9b3e30b226
Last affected
85ef1c62edaefcd5c4fc35a4aae74e29c603e747
Last affected
89747700ab2d17b71cd57be028c5671d227ac703
Last affected
9783742083e8a5d30b7de6573f2fe325f22c992d
Last affected
a7690ec10055f5971279b4165dc7b2b18bba74ac
Last affected
b37f7b9c5186ed04f75e323bf648a35615498d79
Last affected
c5883d87488fa88e57aad72c5f4531db604888ce
Last affected
d026bd3843264de108d9f143207c3407008112f8
Last affected
d147ecb535a9e2014dd1372ae70e175b9edb583a
Last affected
d2a48831baf957ff76097f0edf4cb23dc2d31c14
Last affected
dca802cdc33e44998204fe0cd992f2eca42d93a6
Last affected
ddf14bd3018cd2ac440fb43ed419ccdd5a291f62
Last affected
e4b2b3a7a51e61665e8baee0e93b8f723f94c70b
Last affected
ebd52aa26ce90b149f127965016299aac9e943fb
Last affected
efd964ce7893d68e98271f3851a2efbc44915e80
Last affected
f385841c94851f191f2f4ac275f818fc3689bd6f
Last affected
f3a5e4c66f4c45e36f23eec186ed9773b891b361
Last affected
fafaed7c8c76acb416dcb6ab4b81a11301e5a153
Last affected
fbaf6caa9699ed423c9678ddb705144ac37f286e

Affected versions

v1.*
v1.0.0
v1.0.0beta1
v1.0.0rc1
v1.0.0rc2
v1.0.1
v1.0.10
v1.0.2
v1.0.3
v1.0.4
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v2.*
v2.0.0
v2.0.0alpha1
v2.0.0beta1
v2.0.0beta2
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.2.0
v2.3.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14650.json"