CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS
Percentile
67.8%
LibTIFF allows remote attackers to cause a denial of service (memory
consumption and crash) via a crafted tiff file.
Author | Note |
---|---|
mdeslaur | as of 2021-02-24, no upstream fix |
sbeattie | likely fixed in upstream 4.0.7 release reproducer in oss-security post |
ccdm94 | bionic and later are not-affected and the issue is not reproducible in trusty (no huge reallocs are made, as would be expected), and is also not reproducible in xenial (no reallocs made at all, according to ltrace output) with the POC file provided in the oss-security post. No upstream patch was identified after analysis of the libtiff changelog file, as well as the change history for the tiffdither code. Since this is a 2015 issue, trusty and xenial will be marked as ignored. |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS
Percentile
67.8%