Vulnerability Details CVE-2021-3478
There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 28.1%
CVSS Severity
CVSS v3 Score 5.5
CVSS v2 Score 4.3
References
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27409
- https://bugzilla.redhat.com/show_bug.cgi?id=1939160
- https://lists.debian.org/debian-lts-announce/2021/07/msg00001.html
- https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html
- https://security.gentoo.org/glsa/202107-27
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27409
- https://bugzilla.redhat.com/show_bug.cgi?id=1939160
- https://lists.debian.org/debian-lts-announce/2021/07/msg00001.html
- https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html
- https://security.gentoo.org/glsa/202107-27
Products affected by CVE-2021-3478
-
cpe:2.3:a:openexr:openexr:-
-
cpe:2.3:a:openexr:openexr:1.0
-
cpe:2.3:a:openexr:openexr:1.0.1
-
cpe:2.3:a:openexr:openexr:1.0.2
-
cpe:2.3:a:openexr:openexr:1.0.3
-
cpe:2.3:a:openexr:openexr:1.0.4
-
cpe:2.3:a:openexr:openexr:1.0.5
-
cpe:2.3:a:openexr:openexr:1.0.6
-
cpe:2.3:a:openexr:openexr:1.0.7
-
cpe:2.3:a:openexr:openexr:1.1.0
-
cpe:2.3:a:openexr:openexr:1.1.1
-
cpe:2.3:a:openexr:openexr:1.2.1
-
cpe:2.3:a:openexr:openexr:1.2.2
-
cpe:2.3:a:openexr:openexr:1.3.0
-
cpe:2.3:a:openexr:openexr:1.3.1
-
cpe:2.3:a:openexr:openexr:1.3.2
-
cpe:2.3:a:openexr:openexr:1.4.0
-
cpe:2.3:a:openexr:openexr:1.5.0
-
cpe:2.3:a:openexr:openexr:1.6.0
-
cpe:2.3:a:openexr:openexr:1.6.1
-
cpe:2.3:a:openexr:openexr:1.7.0
-
cpe:2.3:a:openexr:openexr:1.7.1
-
cpe:2.3:a:openexr:openexr:2.0.0
-
cpe:2.3:a:openexr:openexr:2.0.1
-
cpe:2.3:a:openexr:openexr:2.1.0
-
cpe:2.3:a:openexr:openexr:2.2.0
-
cpe:2.3:a:openexr:openexr:2.2.1
-
cpe:2.3:a:openexr:openexr:2.2.2
-
cpe:2.3:a:openexr:openexr:2.3.0
-
cpe:2.3:a:openexr:openexr:2.4.0
-
cpe:2.3:a:openexr:openexr:2.4.1
-
cpe:2.3:a:openexr:openexr:2.4.2
-
cpe:2.3:a:openexr:openexr:2.5.0
-
cpe:2.3:a:openexr:openexr:2.5.1
-
cpe:2.3:a:openexr:openexr:2.5.2
-
cpe:2.3:a:openexr:openexr:2.5.3
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:9.0