Multiple vulnerabilities in OpenImageIO oiio
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2022-38143 CVE-2022-41838 CVE-2022-41999 CVE-2022-41794 CVE-2022-36354 CVE-2022-41684 CVE-2022-41977 CVE-2022-41639 CVE-2022-41988 CVE-2022-41981 |
| CWE-ID | CWE-787 CWE-122 CWE-20 CWE-400 CWE-125 CWE-200 CWE-121 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
oiio Other software / Other software solutions |
| Vendor | OpenImageIO |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Out-of-bounds write
EUVDB-ID: #VU74792
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-38143
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing RLE encoded BMP images. A remote attacker can create a specially crafted BMP file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.0.14 - 2.4.4.2
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.1.20.0:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.2.6.1:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1630
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.5.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Heap-based buffer overflow
EUVDB-ID: #VU74795
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-41838
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in DDS scanline parsing functionality. A remote attacker can trick the victim to open a specially crafted .dds file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.0.14 - 2.4.4.2
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.1.20.0:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.2.6.1:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1634
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.5.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU74796
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-41999
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the DDS native tile reading functionality. A remote attacker can trick the victim to open a specially crafted .dds file and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.0.14 - 2.4.4.2
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.1.20.0:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.2.6.1:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1635
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.5.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU74797
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-41794
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing PSD thumbnails. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.0.14 - 2.4.10.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.1.18.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.1.20.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1626
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.5.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Out-of-bounds read
EUVDB-ID: #VU74793
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-36354
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the RLA format parser. A remote attacker can create a specially crafted RLA file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.0.14 - 2.4.4.2
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.1.20.0:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.2.6.1:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.5.0
https://github.com/OpenImageIO/oiio/releases/tag/v2.3.21.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Heap-based buffer overflow
EUVDB-ID: #VU74801
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-41684
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the application.
The vulnerability exists due to a boundary error when parsing the image file directory part of a PSD image file. A remote attacker can trick the victim to open a specially crafted PSD file, trigger a heap-based buffer overflow and crash the application.
Install updates from vendor's website.
Vulnerable software versionsoiio: 2.0.14 - 2.4.10.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.1.18.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.1.20.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1632
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.5.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Out-of-bounds read
EUVDB-ID: #VU74791
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-41977
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when processes string fields in TIFF image files. A remote attacker can create a specially crafted TIFF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.0.14 - 2.4.4.2
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.1.20.0:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.2.6.1:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1627
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.5.0
https://github.com/OpenImageIO/oiio/releases/tag/v2.3.21.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Heap-based buffer overflow
EUVDB-ID: #VU74794
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-41639
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in tile decoding code of TIFF image parser. A remote attacker can trick the victim to open a specially crafted TIFF file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.0.14 - 2.4.4.2
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.1.20.0:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.2.6.1:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1633
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.5.0
https://github.com/OpenImageIO/oiio/releases/tag/v2.3.21.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Information disclosure
EUVDB-ID: #VU74800
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-41988
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in the OpenImageIO::decode_iptc_iim() functionality. A remote attacker can trick the victim to open a specially crafted TIFF file and gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsoiio: 2.0.14 - 2.4.10.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.1.18.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.1.20.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1643
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.5.0
https://github.com/OpenImageIO/oiio/releases/tag/v2.3.21.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Stack-based buffer overflow
EUVDB-ID: #VU74799
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-41981
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the TGA file format parser. A remote attacker can trick the victim to open a specially crafted TGA file, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.0.14 - 2.4.10.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.1.18.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.1.20.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1628
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.5.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
