CVE-2009-1720 — Integer Overflow or Wraparound in Openexr

CWE-189 CWE-190 — Integer Overflow or Wraparound9 documents8 sources

Severity

7.5HIGHNVD

EPSS

19.2%

top 4.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openexr Debian Openexr

Timeline

PublishedJul 31

Latest updateMay 2

Description

Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors that trigger heap-based buffer overflows, related to (1) the Imf::PreviewImage::PreviewImage function and (2) compressor constructors. NOTE: some of these details are obtained from third party information.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/openexr< openexr 1.6.1-4.1 (bookworm)

▶Debianopenexr/openexr< 1.6.1-4.1+3

▶NVDopenexr/openexr1.2.2, 1.6.1+1

Patches

Patch: release.debian.org ↗Patch: security.debian.org ↗Patch: security.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-9qfx-pcxp-2cw7: Multiple integer overflows in OpenEXR 1↗2022-05-02

▶

OSV

CVE-2009-1720: Multiple integer overflows in OpenEXR 1↗2009-07-31

▶

💥Exploits & PoCs

Exploit-DB

Joomla! Component QPersonel 1.0.2 - SQL Injection↗2010-04-13

▶

📋Vendor Advisories

Ubuntu

OpenEXR vulnerabilities↗2009-09-14

▶

Red Hat

OpenEXR: Multiple integer overflows↗2009-07-28

▶

Debian

CVE-2009-1720: openexr - Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1 allow context-dependent at...↗2009

▶

💬Community

Bugzilla

CVE-2009-1720 OpenEXR: Multiple integer overflows↗2009-07-27

▶

Bugzilla

CVE-2009-1721 OpenEXR: Invalid pointer free by image decompression↗2009-07-27

▶