CVE-2022-41977 — Out-of-bounds Read in Openimageio

CWE-125 — Out-of-bounds Read6 documents5 sources

Severity

3.3LOWNVD

EPSS

0.1%

top 70.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openimageio Debian Openimageio Openimageio Project Openimageio

Timeline

PublishedDec 22

Latest updateDec 23

Description

An out of bounds read vulnerability exists in the way OpenImageIO version v2.3.19.0 processes string fields in TIFF image files. A specially-crafted TIFF file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/openimageio< openimageio 2.3.21.0+dfsg-1 (bookworm)

▶Debianopenimageio/openimageio< 2.2.10.1+dfsg-1+deb11u1+3

▶NVDopenimageio/openimageio2.3.19.0

▶CVEListV5openimageio_project/openimageiomaster-branch-9aeece7a, v2.3.19.0+1

🔴Vulnerability Details

GHSA

GHSA-ph8f-7wjw-g922: An out of bounds read vulnerability exists in the way OpenImageIO version v2↗2022-12-23

▶

OSV

CVE-2022-41977: An out of bounds read vulnerability exists in the way OpenImageIO version v2↗2022-12-22

▶

📋Vendor Advisories

Debian

CVE-2022-41977: openimageio - An out of bounds read vulnerability exists in the way OpenImageIO version v2.3.1...↗2022

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: OpenImageIO file processing issues could lead to arbitrary code execution, sensitive information leak and denial of service↗2022-12-22

▶

Talos

Vulnerability Spotlight: OpenImageIO file processing issues could lead to arbitrary code execution, sensitive information leak and denial of service↗2022-12-22

▶