CVE-2021-3598

Name
CVE-2021-3598
Description
There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://bugzilla.redhat.com/show_bug.cgi?id=1970987

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:* openexr >= None < 3.0.5

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
openexr edge-community 3.1.1-r0 Mark Riedesel <mark+alpine@klowner.com> fixed
openexr edge-community 2.5.5-r3 Mark Riedesel <mark+alpine@klowner.com> possibly vulnerable
openexr edge-community 2.5.4-r0 None possibly vulnerable
openexr edge-community 2.5.2-r0 None possibly vulnerable
openexr edge-community 2.4.1-r0 None possibly vulnerable
openexr edge-community 2.4.0-r0 None possibly vulnerable
openexr edge-community 2.2.1-r0 None possibly vulnerable
openexr 3.22-community 3.1.1-r0 None fixed
openexr 3.22-community 2.5.4-r0 None possibly vulnerable
openexr 3.22-community 2.5.2-r0 None possibly vulnerable
openexr 3.22-community 2.4.1-r0 None possibly vulnerable
openexr 3.22-community 2.4.0-r0 None possibly vulnerable
openexr 3.22-community 2.2.1-r0 None possibly vulnerable
openexr 3.21-community 3.1.1-r0 None fixed
openexr 3.20-community 3.1.1-r0 None fixed
openexr 3.19-community 3.1.1-r0 None fixed
openexr 3.18-community 3.1.1-r0 None fixed
openexr 3.17-community 3.1.1-r0 None fixed