CVE-2021-23169: Buffer Overflow
First published: Thu Apr 08 2021(Updated: )
A heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled against OpenEXR.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Openexr Openexr | <3.0.1 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| redhat/OpenEXR | <3.0.1 | 3.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1947612
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KYNJSMVA6YJY5NMKDZ5SAISKZG2KCKC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BXFLD4ZAXKAIWO6ZPBCQEEDZB5IG676K/
- https://security.gentoo.org/glsa/202210-31
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4KYNJSMVA6YJY5NMKDZ5SAISKZG2KCKC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BXFLD4ZAXKAIWO6ZPBCQEEDZB5IG676K/
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28051
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1947613
- https://github.com/AcademySoftwareFoundation/openexr/pull/872
- https://github.com/AcademySoftwareFoundation/openexr/commit/ae6d203892cc9311917a7f4f05354ef792b3e58e
Frequently Asked Questions
What is CVE-2021-23169?
CVE-2021-23169 is a heap-buffer overflow vulnerability found in the copyIntoFrameBuffer function of OpenEXR before version 3.0.1.
What is the severity of CVE-2021-23169?
The severity of CVE-2021-23169 is high with a CVSS score of 8.8.
How does CVE-2021-23169 affect OpenEXR?
CVE-2021-23169 affects OpenEXR versions before 3.0.1 and can be exploited by an attacker to execute arbitrary code with the permissions of the user running the application.
Which software versions are affected by CVE-2021-23169?
OpenEXR versions before 3.0.1 are affected by CVE-2021-23169.
Is there a fix for CVE-2021-23169?
Yes, updating OpenEXR to version 3.0.1 will fix the CVE-2021-23169 vulnerability.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-23169
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/openexr
- canonical/openexr openexr
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- package-manager/redhat