CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
AI Score
Confidence
Low
OpenImageIO is a toolset for reading, writing, and manipulating image files
of any image file format relevant to VFX / animation via a format-agnostic
API with a feature set, scalability, and robustness needed for feature film
production. In affected versions there is a bug in the heif input
functionality of OpenImageIO. Specifically, in
HeifInput::seek_subimage()
. In the worst case, this can lead to an
information disclosure vulnerability, particularly for programs that
directly use the ImageInput
APIs. This bug has been addressed in commit
0a2dcb4c
which is included in the 2.5.13.1 release. Users are advised to
upgrade. There are no known workarounds for this issue.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | openimageio | < any | UNKNOWN |
ubuntu | 20.04 | noarch | openimageio | < any | UNKNOWN |
ubuntu | 22.04 | noarch | openimageio | < any | UNKNOWN |
ubuntu | 24.04 | noarch | openimageio | < any | UNKNOWN |
ubuntu | 16.04 | noarch | openimageio | < any | UNKNOWN |
github.com/AcademySoftwareFoundation/OpenImageIO/blob/7c486a1121a4bf71d50ff555fab2770294b748d7/src/heif.imageio/heifinput.cpp#L250
github.com/AcademySoftwareFoundation/OpenImageIO/commit/0a2dcb4cf2c3fd4825a146cd3ad929d9d8305ce3
github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-jjm9-9m4m-c8p2
launchpad.net/bugs/cve/CVE-2024-40630
nvd.nist.gov/vuln/detail/CVE-2024-40630
security-tracker.debian.org/tracker/CVE-2024-40630
www.cve.org/CVERecord?id=CVE-2024-40630