Multiple vulnerabilities in OpenImageIO oiio
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 12 |
| CVE-ID | CVE-2022-43603 CVE-2022-43602 CVE-2022-43600 CVE-2022-43599 CVE-2022-43601 CVE-2022-43597 CVE-2022-43598 CVE-2022-43596 CVE-2022-43593 CVE-2022-43592 CVE-2022-43594 CVE-2022-43595 |
| CWE-ID | CWE-476 CWE-122 CWE-125 CWE-401 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
oiio Other software / Other software solutions |
| Vendor | OpenImageIO |
Security Bulletin
This security bulletin contains information about 12 vulnerabilities.
1) NULL pointer dereference
EUVDB-ID: #VU74813
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-43603
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the ZfileOutput::close() functionality. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.4.4.1 - 2.4.5.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.5.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1657
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.6.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Heap-based buffer overflow
EUVDB-ID: #VU74812
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-43602
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the IFFOutput::close() functionality. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.4.4.1 - 2.4.5.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.5.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.6.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Heap-based buffer overflow
EUVDB-ID: #VU74811
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-43600
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the IFFOutput::close() functionality. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.4.4.1 - 2.4.5.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.5.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.6.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Heap-based buffer overflow
EUVDB-ID: #VU74810
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-43599
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the IFFOutput::close() functionality. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.4.4.1 - 2.4.5.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.5.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.6.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Heap-based buffer overflow
EUVDB-ID: #VU74809
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-43601
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the IFFOutput::close() functionality. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.4.4.1 - 2.4.5.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.5.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.6.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Heap-based buffer overflow
EUVDB-ID: #VU74808
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-43597
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the IFFOutput alignment padding functionality. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability arises when the "m_spec.format" is "TypeDesc::UINT8".
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.4.4.1 - 2.4.5.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.5.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1655
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.6.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Heap-based buffer overflow
EUVDB-ID: #VU74807
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-43598
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the IFFOutput alignment padding functionality. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability arises when the "m_spec.format" is "TypeDesc::UINT16".
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.4.4.1 - 2.4.5.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.5.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1655
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.6.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Out-of-bounds read
EUVDB-ID: #VU74806
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-43596
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the IFFOutput channel interleaving functionality. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsoiio: 2.4.4.1 - 2.4.5.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.5.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1654
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.6.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) NULL pointer dereference
EUVDB-ID: #VU74805
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-43593
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the DPXOutput::close() functionality. A remote attacker can perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsoiio: 2.4.4.1 - 2.4.5.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.5.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1652
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.6.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Memory leak
EUVDB-ID: #VU74804
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-43592
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due memory leak in the DPXOutput::close() functionality. A remote attacker can force the application to leak memory and gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsoiio: 2.4.4.1 - 2.4.5.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.5.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1651
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.6.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) NULL pointer dereference
EUVDB-ID: #VU74803
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-43594
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the image output closing functionality that applies to writing .bmp files. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsoiio: 2.4.4.1 - 2.4.5.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.5.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1653
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.6.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) NULL pointer dereference
EUVDB-ID: #VU74802
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-43595
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the image output closing functionality that applies to writing .fits files. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsoiio: 2.4.4.1 - 2.4.5.0
CPE2.3- cpe:2.3:a:OpenImageIO:oiio:2.4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:OpenImageIO:oiio:2.4.5.0:*:*:*:*:*:*:*
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1653
https://github.com/OpenImageIO/oiio/releases/tag/v2.4.6.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
