CVE-2022-3598

2022-10-2116:15:11

CWE-787

[email protected]

web.nvd.nist.gov

117

libtiff

cve-2022-3598

out-of-bounds write

denial-of-service

crafted file

security vulnerability

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

6.6 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.8%

JSON

LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit cfbb883b.

Affected configurations

NVD

Node

libtifflibtiffRange≤4.4.0

Node

netappactive_iq_unified_managerMatch-vmware_vsphere

Node

debiandebian_linuxMatch10.0

CPENameOperatorVersion
libtiff:libtifflibtiffle4.4.0

CPE	Name	Operator	Version
libtiff:libtiff	libtiff	le	4.4.0

CNA Affected

[
  {
    "vendor": "libtiff",
    "product": "libtiff",
    "versions": [
      {
        "version": "<=4.4.0",
        "status": "affected"
      }
    ]
  }
]