CVE-2022-3970 — MEDIUM (6.3)

Q: How severe is CVE-2022-3970?

CVE-2022-3970 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-3970?

Check the references section above for vendor advisories and patch information. Affected products include: Libtiff Libtiff, Netapp Active Iq Unified Manager, Debian Debian Linux, Apple Safari, Apple Ipados.

Vulnerability Description

A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.

CVSS Score

6.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Libtiff	Libtiff	< 4.5.0
Netapp	Active Iq Unified Manager	-
Debian	Debian Linux	10.0
Apple	Safari	< 16.5.1
Apple	Ipados	< 16.6
Apple	Iphone Os	< 16.6
Apple	Macos	< 13.5

Related Weaknesses (CWE)

CWE-189

References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137ExploitIssue TrackingThird Party Advisory
https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617Patch
https://lists.debian.org/debian-lts-announce/2023/01/msg00018.htmlMailing ListThird Party Advisory
https://oss-fuzz.com/download?testcase_id=5738253143900160Product
https://security.netapp.com/advisory/ntap-20221215-0009/Third Party Advisory
https://support.apple.com/kb/HT213841Release NotesThird Party Advisory
https://support.apple.com/kb/HT213843Release NotesThird Party Advisory
https://vuldb.com/?id.213549Third Party AdvisoryVDB Entry
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137ExploitIssue TrackingThird Party Advisory
https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617Patch
https://lists.debian.org/debian-lts-announce/2023/01/msg00018.htmlMailing ListThird Party Advisory
https://oss-fuzz.com/download?testcase_id=5738253143900160Product
https://security.netapp.com/advisory/ntap-20221215-0009/Third Party Advisory
https://support.apple.com/kb/HT213841Release NotesThird Party Advisory
https://support.apple.com/kb/HT213843Release NotesThird Party Advisory

FAQ

What is CVE-2022-3970?

CVE-2022-3970 is a vulnerability with a CVSS score of 6.3 (MEDIUM). A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. ...

How severe is CVE-2022-3970?

CVE-2022-3970 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-3970?

Check the references section above for vendor advisories and patch information. Affected products include: Libtiff Libtiff, Netapp Active Iq Unified Manager, Debian Debian Linux, Apple Safari, Apple Ipados.