Lucene search

K

GoogleOSV:CVE-2021-20298

HistoryAug 23, 2022 - 4:15 p.m.

CVE-2021-20298

2022-08-2316:15:09

Google

osv.dev

12

openexr

b44compressor

memory exhaustion

vulnerability

system availability

software

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.2

Confidence

Low

EPSS

0.002

Percentile

61.9%

A flaw was found in OpenEXR’s B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.

References

access.redhat.com/security/cve/CVE-2021-20298

bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913

bugzilla.redhat.com/show_bug.cgi?id=1939156

github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97

github.com/AcademySoftwareFoundation/openexr/pull/843

lists.debian.org/debian-lts-announce/2022/12/msg00022.html

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.2

Confidence

Low

EPSS

0.002

Percentile

61.9%

Related for OSV:CVE-2021-20298

ubuntucve1 cve1 debiancve1 nvd1 redhatcve1 cvelist1 prion1 nessus13 openvas9 amazon1 suse2 debian1 osv1