10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.043 Low
EPSS
Percentile
92.4%
Little CMS 2 contains a double-free vulnerability in the DefaultICCintents
function, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Little CMS is an open-source color management engine that supports the International Color Consortium (ICC) standard. Little CMS 2.5 and earlier 2.x versions (liblcms2) contain a double-free vulnerability in the DefaultICCintents()
function, which is provided in cmscnvrt.c
. When the “Lut
” cmsPipeline
object is freed more than once, this can result in an exploitable memory corruption situation.
Although this issue was addressed in 2013, it was not assigned a CVE identifier at that time. Because of this, some vendors may not have upgraded liblcms2 to a version that contains the fix for this vulnerability.
By causing an application to process a malformed ICC profile, a remote, unauthenticated attacker may be able to cause arbitrary code execution with the privileges of the application that uses the Little CMS library. Exploitability of the vulnerability depends on how the application uses liblcms2 and what capabilities are exposed to an attacker.
Apply an update
This issue is resolved in Little CMS 2.6. Please check with your vendor for update availability.
369800
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: April 29, 2016 Updated: May 03, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 29, 2016 Updated: May 04, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 29, 2016 Updated: May 04, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 29, 2016 Updated: May 04, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 29, 2016 Updated: May 04, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 29, 2016 Updated: May 04, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 29, 2016 Updated: May 04, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 29, 2016 Updated: May 04, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 29, 2016 Updated: May 04, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 29, 2016 Updated: May 04, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 29, 2016 Updated: May 04, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 29, 2016 Updated: May 02, 2016
Statement Date: May 02, 2016
Not Affected
We have not received a statement from the vendor.
Arista EOS does not include lcms2, so is not affected
by this vulnerability.
Notified: May 02, 2016 Updated: May 03, 2016
Statement Date: May 03, 2016
Not Affected
We have not received a statement from the vendor.
We do not use lcms2 in any of our products.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 29, 2016 Updated: April 29, 2016
Unknown
We have not received a statement from the vendor.
View all 38 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 7.4 | E:U/RL:OF/RC:C |
Environmental | 7.4 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
This vulnerability was corrected in 2013 by Marti Maria, and was independently discovered by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
CVE IDs: | CVE-2013-7455 |
---|---|
Date Public: | 2013-07-10 Date First Published: |
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.043 Low
EPSS
Percentile
92.4%