CVE-2022-41837

2022-12-2222:15:15

CWE-562

CWE-787

[email protected]

web.nvd.nist.gov

openimageio

vulnerability

memory corruption

exif metadata

malicious file

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

65.8%

JSON

An out-of-bounds write vulnerability exists in the OpenImageIO::add_exif_item_to_spec functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially-crafted exif metadata can lead to stack-based memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

Affected configurations

Nvd

Node

openimageioopenimageioMatch2.4.4.2

Node

debiandebian_linuxMatch11.0

VendorProductVersionCPE
openimageioopenimageio2.4.4.2cpe:2.3:a:openimageio:openimageio:2.4.4.2:*:*:*:*:*:*:*
debiandebian_linux11.0cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openimageio	openimageio	2.4.4.2	cpe:2.3:a:openimageio:openimageio:2.4.4.2:::::::*
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*