CVE-2023-5841

2024-02-0119:15:08

CWE-122

CWE-787

[email protected]

web.nvd.nist.gov

cve-2023-5841

openexr

security vulnerability

heap-based buffer overflow

nvd

image parsing library

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.7%

JSON

Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions v3.2.2 and v3.1.12 of the affected library.

Affected configurations

NVD

Node

openexropenexrRange≤3.2.1

CPENameOperatorVersion
openexr:openexropenexrle3.2.1

CPE	Name	Operator	Version
openexr:openexr	openexr	le	3.2.1

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "OpenEXR",
    "vendor": "Academy Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "3.2.1",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "3.2.2"
      },
      {
        "status": "unaffected",
        "version": "3.1.12 "
      }
    ]
  }
]