CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
92.5%
Security Advisory Description
The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file.
The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file.
cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font.
An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c could lead to DoS via a crafted font file.
FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c.
Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file.
The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap.
The (1) cf2_initLocalRegionBuffer and (2) cf2_initGlobalRegionBuffer functions in cff/cf2ft.c in FreeType before 2.5.3 do not properly check if a subroutine exists, which allows remote attackers to cause a denial of service (assertion failure), as demonstrated by a crafted ttf file.
Impact
There is no impact; F5 products are not affected by this vulnerability.
Vendor | Product | Version | CPE |
---|---|---|---|
f5 | big-ip_next_central_manager | 20.2.0 | cpe:2.3:a:f5:big-ip_next_central_manager:20.2.0:*:*:*:*:*:*:* |
f5 | big-ip_next_central_manager | 20.2.1 | cpe:2.3:a:f5:big-ip_next_central_manager:20.2.1:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.1.0 | cpe:2.3:a:f5:big-ip_next:1.1.0:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.1.1 | cpe:2.3:a:f5:big-ip_next:1.1.1:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.2.0 | cpe:2.3:a:f5:big-ip_next:1.2.0:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.2.1 | cpe:2.3:a:f5:big-ip_next:1.2.1:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.3.0 | cpe:2.3:a:f5:big-ip_next:1.3.0:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.3.1 | cpe:2.3:a:f5:big-ip_next:1.3.1:*:*:*:*:*:*:* |
f5 | big-ip_dns | 1.1.0 | cpe:2.3:a:f5:big-ip_dns:1.1.0:*:*:*:*:*:*:* |
f5 | big-ip_dns | 1.1.1 | cpe:2.3:a:f5:big-ip_dns:1.1.1:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
92.5%