CVE-2023-5841

Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEXimage parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versionsv3.2.2 and v3.1.12 of the affected library.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AHACNA
---
---
CVEADP
---
---
CISA-ADPADP
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 64%
VendorProductVersion
openexropenexr
𝑥
≤ 3.2.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openexr
bullseye (security)
2.5.4-2+deb11u1
fixed
bullseye
2.5.4-2+deb11u1
not-affected
bookworm
no-dsa
buster
not-affected
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openexr
oracular
needs-triage
noble
needs-triage
mantic
ignored
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
ignored
Common Weakness Enumeration
References
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSB6DB5LAKGPLRXEF5HDNGUMT7GIFT2C/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWMINVKQLSUHECXBSQMZFCSDRIHFOJJI/
https://takeonme.org/cves/CVE-2023-5841.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSB6DB5LAKGPLRXEF5HDNGUMT7GIFT2C/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWMINVKQLSUHECXBSQMZFCSDRIHFOJJI/
https://takeonme.org/cves/CVE-2023-5841.html