Vulnerability Details CVE-2018-5784
In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.014
EPSS Ranking 79.4%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.3
References
- http://bugzilla.maptools.org/show_bug.cgi?id=2772
- https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef
- https://lists.debian.org/debian-lts-announce/2018/05/msg00022.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00002.html
- https://usn.ubuntu.com/3602-1/
- https://usn.ubuntu.com/3606-1/
- https://www.debian.org/security/2018/dsa-4349
- http://bugzilla.maptools.org/show_bug.cgi?id=2772
- https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef
- https://lists.debian.org/debian-lts-announce/2018/05/msg00022.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00002.html
- https://usn.ubuntu.com/3602-1/
- https://usn.ubuntu.com/3606-1/
- https://www.debian.org/security/2018/dsa-4349
Products affected by CVE-2018-5784
-
cpe:2.3:a:libtiff:libtiff:4.0.9
-
cpe:2.3:o:canonical:ubuntu_linux:14.04
-
cpe:2.3:o:canonical:ubuntu_linux:16.04
-
cpe:2.3:o:canonical:ubuntu_linux:17.10
-
cpe:2.3:o:debian:debian_linux:7.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0