CVE-2021-45943 — MEDIUM (5.5)

Q: How severe is CVE-2021-45943?

CVE-2021-45943 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-45943?

Check the references section above for vendor advisories and patch information. Affected products include: Osgeo Gdal, Debian Debian Linux, Fedoraproject Fedora, Oracle Spatial And Graph.

Vulnerability Description

GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment).

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Osgeo	Gdal	>= 3.3.0, <= 3.4.0
Debian	Debian Linux	9.0
Fedoraproject	Fedora	34
Oracle	Spatial And Graph	19c

Related Weaknesses (CWE)

CWE-787

References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41993ExploitIssue TrackingMailing List
https://github.com/OSGeo/gdal/commit/1ca6a3e5168c200763fa46d8aa7e698d0b757e7ePatchThird Party Advisory
https://github.com/OSGeo/gdal/pull/4944ExploitPatchThird Party Advisory
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2021-1651.yamlThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00004.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00040.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202210-15Third Party Advisory
https://www.debian.org/security/2022/dsa-5239Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41993ExploitIssue TrackingMailing List
https://github.com/OSGeo/gdal/commit/1ca6a3e5168c200763fa46d8aa7e698d0b757e7ePatchThird Party Advisory
https://github.com/OSGeo/gdal/pull/4944ExploitPatchThird Party Advisory
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2021-1651.yamlThird Party Advisory

FAQ

What is CVE-2021-45943?

CVE-2021-45943 is a vulnerability with a CVSS score of 5.5 (MEDIUM). GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment)...

How severe is CVE-2021-45943?

CVE-2021-45943 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-45943?

Check the references section above for vendor advisories and patch information. Affected products include: Osgeo Gdal, Debian Debian Linux, Fedoraproject Fedora, Oracle Spatial And Graph.