CVE-2022-2867

2022-08-1722:15:08

CWE-191

CWE-787

CWE-125

[email protected]

web.nvd.nist.gov

122

libtiff

tiffcrop

cve-2022-2867

security

vulnerability

exploitation

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

5.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.0%

JSON

libtiff’s tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation.

Affected configurations

Vulners

NVD

Node

libtifflibtiffRange≤4.4.0

VendorProductVersionCPE
libtifflibtiff*cpe:2.3:a:libtiff:libtiff:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
libtiff	libtiff	*	cpe:2.3:a:libtiff:libtiff::::::::

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "libtiff",
    "versions": [
      {
        "version": "libtiff 4.4.0rc1",
        "status": "affected"
      }
    ]
  }
]