CVE-2021-20298

2022-08-2316:15:09

CWE-400

CWE-787

redhat

web.nvd.nist.gov

openexr

b44compressor

vulnerability

memory exhaustion

system availability

cve-2021-20298

nvd

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

Confidence

High

EPSS

0.002

Percentile

61.9%

JSON

A flaw was found in OpenEXR’s B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.

Affected configurations

Nvd

Vulners

Node

openexropenexrRange≤2.5.7

Node

debiandebian_linuxMatch10.0

VendorProductVersionCPE
openexropenexr*cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openexr	openexr	*	cpe:2.3:a:openexr:openexr::::::::
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "OpenEXR",
    "versions": [
      {
        "version": "Fixed in OpenEXR 3.0.0-beta",
        "status": "affected"
      }
    ]
  }
]