CVE-2023-5841

2024-02-0119:15:08

CWE-787

CWE-122

AHA

web.nvd.nist.gov

cve-2023-5841

openexr

security vulnerability

heap-based buffer overflow

nvd

image parsing library

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.1

Confidence

High

EPSS

0.001

Percentile

28.8%

JSON

Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions v3.2.2 and v3.1.12 of the affected library.

Affected configurations

Nvd

Node

openexropenexrRange≤3.2.1

VendorProductVersionCPE
openexropenexr*cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openexr	openexr	*	cpe:2.3:a:openexr:openexr::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "OpenEXR",
    "vendor": "Academy Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "3.2.1",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "3.2.2"
      },
      {
        "status": "unaffected",
        "version": "3.1.12 "
      }
    ]
  }
]