CVE-2022-0891 — MEDIUM (6.1)

Q: How severe is CVE-2022-0891?

CVE-2022-0891 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-0891?

Check the references section above for vendor advisories and patch information. Affected products include: Libtiff Libtiff, Debian Debian Linux, Fedoraproject Fedora, Netapp Active Iq Unified Manager.

Vulnerability Description

A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Libtiff	Libtiff	>= 3.9.0, <= 4.3.0
Debian	Debian Linux	10.0
Fedoraproject	Fedora	35
Netapp	Active Iq Unified Manager	-

Related Weaknesses (CWE)

CWE-787

References

https://gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/23228PatchThird Party Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0891.jsonThird Party AdvisoryVDB Entry
https://gitlab.com/libtiff/libtiff/-/issues/380ExploitIssue TrackingPatch
https://gitlab.com/libtiff/libtiff/-/issues/382ExploitIssue TrackingPatch
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202210-10Third Party Advisory
https://security.netapp.com/advisory/ntap-20221228-0008/Third Party Advisory
https://www.debian.org/security/2022/dsa-5108Third Party Advisory
https://gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/23228PatchThird Party Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0891.jsonThird Party AdvisoryVDB Entry
https://gitlab.com/libtiff/libtiff/-/issues/380ExploitIssue TrackingPatch
https://gitlab.com/libtiff/libtiff/-/issues/382ExploitIssue TrackingPatch
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2022-0891?

CVE-2022-0891 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which...

How severe is CVE-2022-0891?

CVE-2022-0891 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-0891?

Check the references section above for vendor advisories and patch information. Affected products include: Libtiff Libtiff, Debian Debian Linux, Fedoraproject Fedora, Netapp Active Iq Unified Manager.