SB2018032604 - Remote code execution in LibTIFF
Published: March 26, 2018 Updated: June 25, 2020
Security Bulletin ID
SB2018032604
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Heap-based buffer overflow (CVE-ID: CVE-2018-8905)
The vulnerability allows a remote authenticated attacker to cause DoS condition or execute arbitrary code on the target system.The weakness exists in the LZWDecodeCompat function due to insufficient validation of user-supplied input. A remote attacker can submit a specially crafted TIFF file, cause the service to crash or execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.