Talos Vulnerability Report

TALOS-2023-1709

OpenImageIO Project OpenImageIO FitsOutput::close() denial of service vulnerability

March 30, 2023

CVE Number

CVE-2023-24472

SUMMARY

A denial of service vulnerability exists in the FitsOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted ImageOutput Object can lead to denial of service. An attacker can provide malicious input to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenImageIO Project OpenImageIO v2.4.7.1

PRODUCT URLS

OpenImageIO - https://github.com/OpenImageIO/oiio

CVSSv3 SCORE

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-674 - Uncontrolled Recursion

DETAILS

OpenImageIO is an image processing library with easy-to-use interfaces and a sizable number of supported image formats. Useful for conversion and processing and even image comparison, this library is utilized by 3D-processing software from AliceVision (including Meshroom), as well as Blender for reading Photoshop .psd files.

CVE-2022-43595 was not fixed in newest version.

TIMELINE

2023-02-07 - Vendor Disclosure
2023-02-13 - Vendor Patch Release
2023-03-30 - Public Release

Credit

Discovered by Lilith >_> of Cisco Talos.

TALOS-2023-1731

TALOS-2023-1707

Intelligence Center

Vulnerability Research

Security Resources

Media

Company