GitHub_MCVELIST:CVE-2024-40630CVE-2024-40630 HEIF Heap OOB Read in OpenImageIO
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS
Percentile
15.9%
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation via a format-agnostic API with a feature set, scalability, and robustness needed for feature film production. In affected versions there is a bug in the heif input functionality of OpenImageIO. Specifically, in HeifInput::seek_subimage(). In the worst case, this can lead to an information disclosure vulnerability, particularly for programs that directly use the ImageInput APIs. This bug has been addressed in commit 0a2dcb4c which is included in the 2.5.13.1 release. Users are advised to upgrade. There are no known workarounds for this issue.
CNA Affected
[
{
"vendor": "AcademySoftwareFoundation",
"product": "OpenImageIO",
"versions": [
{
"version": "< 2.5.13.1",
"status": "affected"
}
]
}
]References
github.com/AcademySoftwareFoundation/OpenImageIO/blob/7c486a1121a4bf71d50ff555fab2770294b748d7/src/heif.imageio/heifinput.cpp#L250
github.com/AcademySoftwareFoundation/OpenImageIO/commit/0a2dcb4cf2c3fd4825a146cd3ad929d9d8305ce3
github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-jjm9-9m4m-c8p2
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS
Percentile
15.9%