Description

An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215.

Related CPE's

a

openexr

openexr

Vulnerable

o

fedoraproject

fedora

33

Vulnerable

o

debian

debian_linux

3

References

https://bugzilla.redhat.com/show_bug.cgi?id=1947582

Issue TrackingPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2021/07/msg00001.html

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BXFLD4ZAXKAIWO6ZPBCQEEDZB5IG676K/

https://www.debian.org/security/2022/dsa-5299

Third Party Advisory

Weaknesses

[email protected]

Primary
CWE-400

[email protected]

Secondary
CWE-190

CVSS impact metrics

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

5.5 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-06-08T12:15:10.790

4 years ago

Last modified

2023-11-07T03:31:40.850

1 year ago