CVE-2023-3430 - Vulnerability Details - OpenCVE

A vulnerability was found in OpenImageIO, where a heap buffer overflow exists in the src/gif.imageio/gifinput.cpp file. This flaw allows a remote attacker to pass a specially crafted file to the application, which triggers a heap-based buffer overflow and could cause a crash, leading to a denial of service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openimageio	Openimageio
Redhat	Linux

Configuration 1 [-]

AND

cpe:2.3:a:openimageio:openimageio:2.4.11:*:*:*:*:*:*:*

cpe:2.3:o:redhat:linux:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=2218380
https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/3840

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-12-18T13:40:05.145Z

Updated: 2024-08-02T06:55:03.301Z

Reserved: 2023-06-27T13:55:43.943Z

Link: CVE-2023-3430

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-18T14:15:08.113

Modified: 2024-11-21T08:17:14.940

Link: CVE-2023-3430

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3430", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-06-27T13:55:43.943Z", "datePublished": "2023-12-18T13:40:05.145Z", "dateUpdated": "2024-08-02T06:55:03.301Z"}, "containers": {"cna": {"title": "Openimageio: heap-buffer-overflow in file src/gif.imageio/gifinput.cpp", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in OpenImageIO, where a heap buffer overflow exists in the src/gif.imageio/gifinput.cpp file. This flaw allows a remote attacker to pass a specially crafted file to the application, which triggers a heap-based buffer overflow and could cause a crash, leading to a denial of service."}], "affected": [{"product": "OpenImageIO", "vendor": "n/a", "versions": [{"version": "2.4.12.0", "status": "unaffected"}]}, {"product": "Extra Packages for Enterprise Linux", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "OpenImageIO", "defaultStatus": "affected"}, {"product": "Fedora", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "OpenImageIO", "defaultStatus": "affected"}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218380", "name": "RHBZ#2218380", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-05-15T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "Heap-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-122: Heap-based Buffer Overflow", "timeline": [{"lang": "en", "time": "2023-02-27T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-05-15T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-12-18T13:40:05.145Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:55:03.301Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218380", "name": "RHBZ#2218380", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openimageio:openimageio:2.4.11:*:*:*:*:*:*:*", "matchCriteriaId": "1026CE08-F9A9-4AE9-9C58-B20DE134CFAD", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:linux:-:*:*:*:*:*:*:*", "matchCriteriaId": "C4EBE07A-6FEF-4343-BA5D-58FD175F5CD1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in OpenImageIO, where a heap buffer overflow exists in the src/gif.imageio/gifinput.cpp file. This flaw allows a remote attacker to pass a specially crafted file to the application, which triggers a heap-based buffer overflow and could cause a crash, leading to a denial of service."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en OpenImageIO, donde existe un desbordamiento de b\u00fafer de almacenamiento din\u00e1mico en el archivo src/gif.imageio/gifinput.cpp. Este fallo permite que un atacante remoto pase un archivo especialmente manipulado a la aplicaci\u00f3n, lo que desencadena un desbordamiento de b\u00fafer de almacenamiento din\u00e1mico y podr\u00eda causar una falla, lo que llevar\u00eda a una denegaci\u00f3n de servicio."}], "id": "CVE-2023-3430", "lastModified": "2024-11-21T08:17:14.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-18T14:15:08.113", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218380"}, {"source": "nvd@nist.gov", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/3840"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218380"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}