CVE-2022-43597

2022-12-2323:03:51

CWE-122

talos

web.nvd.nist.gov

cve-2022-43597

openimageio

memory corruption

vulnerability

nvd

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.008

Percentile

82.4%

JSON

Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to arbitrary code execution. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the m_spec.format is TypeDesc::UINT8.

Affected configurations

Nvd

Vulners

Node

openimageioopenimageioMatch2.4.4.2

Node

debiandebian_linuxMatch11.0

VendorProductVersionCPE
openimageioopenimageio2.4.4.2cpe:2.3:a:openimageio:openimageio:2.4.4.2:*:*:*:*:*:*:*
debiandebian_linux11.0cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openimageio	openimageio	2.4.4.2	cpe:2.3:a:openimageio:openimageio:2.4.4.2:::::::*
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*

CNA Affected

[
  {
    "vendor": "OpenImageIO Project",
    "product": "OpenImageIO",
    "versions": [
      {
        "version": "v2.4.4.2",
        "status": "affected"
      }
    ]
  }
]