#VU11263 Heap-based buffer overflow in LibTIFF - CVE-2018-8905
Published: March 22, 2018 / Updated: June 25, 2020
Vulnerability identifier: #VU11263
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2018-8905
CWE-ID: CWE-122
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
LibTIFF
LibTIFF
Software vendor:
LibTIFF
LibTIFF
Description
The vulnerability allows a remote authenticated attacker to cause DoS condition or execute arbitrary code on the target system.
The weakness exists in the LZWDecodeCompat function due to insufficient validation of user-supplied input. A remote attacker can submit a specially crafted TIFF file, cause the service to crash or execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists in the LZWDecodeCompat function due to insufficient validation of user-supplied input. A remote attacker can submit a specially crafted TIFF file, cause the service to crash or execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.