CVE-2020-28589

2021-08-1112:37:20

CWE-129

talos

www.cve.org

loadobj functionality

array index validation

tinyobjloader

code execution

crafted file

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.003

Percentile

66.2%

JSON

An improper array index validation vulnerability exists in the LoadObj functionality of tinyobjloader v2.0-rc1 and tinyobjloader development commit 79d4421. A specially crafted file could lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

CNA Affected

[
  {
    "product": "tinyobjloader",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "tinyobjloader development commit 79d4421 , tinyobjloader v2.0-rc1"
      }
    ]
  }
]