Debian update for openimageio
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 23 |
| CVE-ID | CVE-2022-36354 CVE-2022-41639 CVE-2022-41649 CVE-2022-41684 CVE-2022-41794 CVE-2022-41837 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43592 CVE-2022-43593 CVE-2022-43594 CVE-2022-43595 CVE-2022-43596 CVE-2022-43597 CVE-2022-43598 CVE-2022-43599 CVE-2022-43600 CVE-2022-43601 CVE-2022-43602 CVE-2022-43603 |
| CWE-ID | CWE-125 CWE-122 CWE-400 CWE-787 CWE-121 CWE-200 CWE-20 CWE-401 CWE-476 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Debian Linux Operating systems & Components / Operating system openimageio (Debian package) Operating systems & Components / Operating system package or component |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 23 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU74793
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-36354
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the RLA format parser. A remote attacker can create a specially crafted RLA file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Heap-based buffer overflow
EUVDB-ID: #VU74794
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-41639
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in tile decoding code of TIFF image parser. A remote attacker can trick the victim to open a specially crafted TIFF file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds read
EUVDB-ID: #VU74815
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-41649
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the handling of IPTC data while parsing TIFF images. A remote attacker can create a specially crafted TIFF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Heap-based buffer overflow
EUVDB-ID: #VU74801
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-41684
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the application.
The vulnerability exists due to a boundary error when parsing the image file directory part of a PSD image file. A remote attacker can trick the victim to open a specially crafted PSD file, trigger a heap-based buffer overflow and crash the application.
Update openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Resource exhaustion
EUVDB-ID: #VU74797
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-41794
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing PSD thumbnails. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Out-of-bounds write
EUVDB-ID: #VU74814
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-41837
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in the OpenImageIO::add_exif_item_to_spec functionality. A remote attacker can create a specially crafted Exif file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Heap-based buffer overflow
EUVDB-ID: #VU74795
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-41838
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in DDS scanline parsing functionality. A remote attacker can trick the victim to open a specially crafted .dds file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Out-of-bounds read
EUVDB-ID: #VU74791
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-41977
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when processes string fields in TIFF image files. A remote attacker can create a specially crafted TIFF file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Stack-based buffer overflow
EUVDB-ID: #VU74799
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-41981
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the TGA file format parser. A remote attacker can trick the victim to open a specially crafted TGA file, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Information disclosure
EUVDB-ID: #VU74800
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-41988
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in the OpenImageIO::decode_iptc_iim() functionality. A remote attacker can trick the victim to open a specially crafted TIFF file and gain access to sensitive information.
Update openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Input validation error
EUVDB-ID: #VU74796
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-41999
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the DDS native tile reading functionality. A remote attacker can trick the victim to open a specially crafted .dds file and perform a denial of service (DoS) attack.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Memory leak
EUVDB-ID: #VU74804
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-43592
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due memory leak in the DPXOutput::close() functionality. A remote attacker can force the application to leak memory and gain access to sensitive information.
Update openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) NULL pointer dereference
EUVDB-ID: #VU74805
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-43593
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the DPXOutput::close() functionality. A remote attacker can perform a denial of service (DoS) attack.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) NULL pointer dereference
EUVDB-ID: #VU74803
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-43594
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the image output closing functionality that applies to writing .bmp files. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) NULL pointer dereference
EUVDB-ID: #VU74802
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-43595
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the image output closing functionality that applies to writing .fits files. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Out-of-bounds read
EUVDB-ID: #VU74806
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-43596
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the IFFOutput channel interleaving functionality. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Heap-based buffer overflow
EUVDB-ID: #VU74808
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-43597
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the IFFOutput alignment padding functionality. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability arises when the "m_spec.format" is "TypeDesc::UINT8".
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Heap-based buffer overflow
EUVDB-ID: #VU74807
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-43598
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the IFFOutput alignment padding functionality. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability arises when the "m_spec.format" is "TypeDesc::UINT16".
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Heap-based buffer overflow
EUVDB-ID: #VU74810
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-43599
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the IFFOutput::close() functionality. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Heap-based buffer overflow
EUVDB-ID: #VU74811
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-43600
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the IFFOutput::close() functionality. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Heap-based buffer overflow
EUVDB-ID: #VU74809
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-43601
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the IFFOutput::close() functionality. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Heap-based buffer overflow
EUVDB-ID: #VU74812
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-43602
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the IFFOutput::close() functionality. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) NULL pointer dereference
EUVDB-ID: #VU74813
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-43603
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the ZfileOutput::close() functionality. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
MitigationUpdate openimageio package to version 2.2.10.1+dfsg-1+deb11u1.
Vulnerable software versionsDebian Linux: All versions
openimageio (Debian package): before 2.2.10.1+dfsg-1+deb11u1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:openimageio_debian_package:*:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2023/dsa-5384
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
