CVE-2023-45663

2023-10-2100:15:08

CWE-908

[email protected]

web.nvd.nist.gov

stb_image

mit licensed

image processing

cve-2023-45663

buffer overflow

security vulnerability

nvd

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.8%

JSON

stb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the stbi__hdr_load function and in the stbi__tga_load function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer.

Affected configurations

Vulners

NVD

Node

nothingsstb_image.hRange≤2.28

VendorProductVersionCPE
nothingsstb_image\.h*cpe:2.3:a:nothings:stb_image\.h:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nothings	stb_image\.h	*	cpe:2.3:a:nothings:stb_image\.h::::::::

CNA Affected

[
  {
    "vendor": "nothings",
    "product": "stb",
    "versions": [
      {
        "version": "<= 2.28",
        "status": "affected"
      }
    ]
  }
]