CVE-2022-3857 - Vulnerability Details - OpenCVE

Maintainer contacted. This is a false-positive. The flaw does not actually exist and was erroneously tested.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2022-3857
https://www.cve.org/CVERecord?id=CVE-2022-3857

History

Wed, 09 Oct 2024 04:30:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:libpng:libpng:1.6.38:::::::*
Vendors & Products	Libpng Libpng libpng
References	https://security.netapp.com/advisory/ntap-20230406-0004/ https://sourceforge.net/p/libpng/bugs/300/

Wed, 09 Oct 2024 03:45:00 +0000

Type	Values Removed	Values Added
Description	A flaw was found in libpng 1.6.38. A crafted PNG image can lead to a segmentation fault and denial of service in png_setup_paeth_row() function.	Maintainer contacted. This is a false-positive. The flaw does not actually exist and was erroneously tested.

MITRE

Status: REJECTED

Assigner: redhat

Published: 2023-03-06T00:00:00

Updated: 2024-10-29T18:03:32.799Z

Reserved: 2022-11-04T00:00:00

Link: CVE-2022-3857

Vulnrichment

No data.

NVD

Status : Rejected

Published: 2023-03-06T23:15:11.087

Modified: 2024-10-09T04:15:06.567

Link: CVE-2022-3857

Redhat

Severity : Low

Publid Date: 2022-11-04T00:00:00Z

Links: CVE-2022-3857 - Bugzilla

{"acknowledgement": "Red Hat would like to thank Heqing Huang (The Hong Kong University of Science and Technology) for reporting this issue.", "bugzilla": {"description": "libpng: Null pointer dereference leads to segmentation fault", "id": "2142600", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142600"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["[REJECTED CVE] A issue has been identified with libpng in png_setup_paeth_row() function. A crafted PNG image from a n attacker can lead to a segmentation fault and Denial of service."], "name": "CVE-2022-3857", "package_state": [{"cpe": "cpe:/a:redhat:openjdk:11", "fix_state": "Fix deferred", "package_name": "java-11-openjdk-portable", "product_name": "Red Hat build of OpenJDK 11"}, {"cpe": "cpe:/a:redhat:openjdk:17", "fix_state": "Fix deferred", "package_name": "java-11-openjdk-portable", "product_name": "Red Hat build of OpenJDK 17"}, {"cpe": "cpe:/a:redhat:openjdk:1.8", "fix_state": "Fix deferred", "package_name": "java-11-openjdk-portable", "product_name": "Red Hat build of OpenJDK 1.8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libpng12", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "java-11-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "java-17-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "java-1.8.0-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "libpng12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "libpng15", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "java-11-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "java-17-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "java-1.8.0-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "libpng15", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-11-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-3857\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-3857"], "statement": "This CVE has been rejected upstream, because this flaw does not exist and was erroneously tested. This issue has been marked as a false-positive - https://sourceforge.net/p/libpng/bugs/300/\nRed Hat has also evaluated this issue and determined that it does not meet the criteria to be classified as a security vulnerability. This assessment is based on the issue not posing a significant security risk, being a result of misconfiguration or usage error, or falling outside the scope of security considerations. \nAs such, this CVE has been marked as \"Rejected\" in alignment with Red Hat's vulnerability management policies.\nIf you have additional information or concerns regarding this determination, please contact Red Hat Product Security for further clarification.", "threat_severity": "Low"}