CVE-2022-1622

LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
GitLabCNA
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
VendorProductVersion
libtifflibtiff
4.3.0
netappontap_select_deploy_administration_utility
-
appleiphone_os
𝑥
< 16.0
applemacos
11.0 ≤
𝑥
< 11.7
applemacos
12.0 ≤
𝑥
< 12.6
appletvos
𝑥
< 16.0
applewatchos
𝑥
< 9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tiff
bullseye (security)
4.2.0-1+deb11u5
fixed
bullseye
4.2.0-1+deb11u5
fixed
buster
not-affected
bookworm
4.5.0-6+deb12u1
fixed
bookworm (security)
4.5.0-6+deb12u1
fixed
sid
4.5.1+git230720-5
fixed
trixie
4.5.1+git230720-5
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tiff
jammy
not-affected
impish
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2022/Oct/28
http://seclists.org/fulldisclosure/2022/Oct/39
http://seclists.org/fulldisclosure/2022/Oct/41
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1622.json
https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a
https://gitlab.com/libtiff/libtiff/-/issues/410
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7IWZTB4J2N4F5OR5QY4VHDSKWKZSWN3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXAFOP6QQRNZD3HPZ6BMCEZZOM4YIZMK/
https://security.netapp.com/advisory/ntap-20220616-0005/
https://support.apple.com/kb/HT213443
https://support.apple.com/kb/HT213444
https://support.apple.com/kb/HT213446
https://support.apple.com/kb/HT213486
https://support.apple.com/kb/HT213487
https://support.apple.com/kb/HT213488
http://seclists.org/fulldisclosure/2022/Oct/28
http://seclists.org/fulldisclosure/2022/Oct/39
http://seclists.org/fulldisclosure/2022/Oct/41
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1622.json
https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a
https://gitlab.com/libtiff/libtiff/-/issues/410
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7IWZTB4J2N4F5OR5QY4VHDSKWKZSWN3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXAFOP6QQRNZD3HPZ6BMCEZZOM4YIZMK/
https://security.netapp.com/advisory/ntap-20220616-0005/
https://support.apple.com/kb/HT213443
https://support.apple.com/kb/HT213444
https://support.apple.com/kb/HT213446
https://support.apple.com/kb/HT213486
https://support.apple.com/kb/HT213487
https://support.apple.com/kb/HT213488