CVE-2022-36354 - Vulnerability Details - OpenCVE

A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Debian	Debian Linux
Openimageio	Openimageio

Configuration 1 [-]

cpe:2.3:a:openimageio:openimageio:2.3.19.0:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629

History

Mon, 14 Apr 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: talos

Published: 2022-12-23T23:03:51.372Z

Updated: 2025-04-14T18:08:48.912Z

Reserved: 2022-09-30T00:00:00.000Z

Link: CVE-2022-36354

Vulnrichment

Updated: 2024-08-03T10:00:04.378Z

NVD

Status : Modified

Published: 2022-12-22T22:15:13.363

Modified: 2024-11-21T07:12:51.133

Link: CVE-2022-36354

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-36354", "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "assignerShortName": "talos", "dateUpdated": "2025-04-14T18:08:48.912Z", "dateReserved": "2022-09-30T00:00:00.000Z", "datePublished": "2022-12-23T23:03:51.372Z"}, "containers": {"cna": {"affected": [{"vendor": "OpenImageIO Project", "product": "OpenImageIO", "versions": [{"version": "master-branch-9aeece7a", "status": "affected"}, {"version": "v2.3.19.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-193: Off-by-one Error", "type": "CWE", "cweId": "CWE-193"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos", "dateUpdated": "2023-07-17T16:22:59.799Z"}, "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629"}], "credits": [{"lang": "en", "value": "Discovered by Lilith >_> of Cisco Talos."}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:00:04.378Z"}, "title": "CVE Program Container", "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-14T18:08:38.923719Z", "id": "CVE-2022-36354", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T18:08:48.912Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:00:04.378Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-36354", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-14T18:08:38.923719Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T18:08:44.430Z"}}], "cna": {"credits": [{"lang": "en", "value": "Discovered by Lilith >_> of Cisco Talos."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "OpenImageIO Project", "product": "OpenImageIO", "versions": [{"status": "affected", "version": "master-branch-9aeece7a"}, {"status": "affected", "version": "v2.3.19.0"}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629"}], "descriptions": [{"lang": "en", "value": "A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-193", "description": "CWE-193: Off-by-one Error"}]}], "providerMetadata": {"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos", "dateUpdated": "2023-07-17T16:22:59.799Z"}}}, "cveMetadata": {"cveId": "CVE-2022-36354", "state": "PUBLISHED", "dateUpdated": "2025-04-14T18:08:48.912Z", "dateReserved": "2022-09-30T00:00:00.000Z", "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "datePublished": "2022-12-23T23:03:51.372Z", "assignerShortName": "talos"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openimageio:openimageio:2.3.19.0:*:*:*:*:*:*:*", "matchCriteriaId": "06112B1B-FC3F-425D-A78A-F7B7FD8AC1F9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability."}, {"lang": "es", "value": "Existe una vulnerabilidad de lectura fuera de los l\u00edmites en el analizador de formato RLA de OpenImageIO master-branch-9aeece7a y v2.3.19.0. M\u00e1s espec\u00edficamente, en la forma en que se manejan los intervalos de bytes codificados de longitud de ejecuci\u00f3n. Un archivo RLA con formato incorrecto puede provocar una lectura fuera de los l\u00edmites de metadatos del mont\u00f3n, lo que puede provocar una fuga de informaci\u00f3n confidencial. Un atacante puede proporcionar un archivo malicioso para desencadenar esta vulnerabilidad."}], "id": "CVE-2022-36354", "lastModified": "2024-11-21T07:12:51.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "talos-cna@cisco.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-22T22:15:13.363", "references": [{"source": "talos-cna@cisco.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629"}], "sourceIdentifier": "talos-cna@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-193"}], "source": "talos-cna@cisco.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-193"}], "source": "nvd@nist.gov", "type": "Secondary"}]}