// For flags

CVE-2009-0723

LittleCms integer overflow

Severity Score

9.3
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Multiple integer overflows in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allow context-dependent attackers to execute arbitrary code via a crafted image file that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.

Múltiples desbordamientos de enteros en LittleCMS (también conocido como lcms o liblcms) anteriores a v1.18beta2, como el utilizado en Firefox v3.1beta, OpenJDK, y GIMP, permiten a atacantes dependientes de contexto ejecutar código arbitrario a través de un fichero de imagen manipulado, que provoca un desbordamiento de buffer basada en montículo. NOTA: algunos de estos detalles son obtenidos de información de terceras personas.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2009-02-24 CVE Reserved
  • 2009-03-23 CVE Published
  • 2023-12-12 EPSS Updated
  • 2024-08-07 CVE Updated
  • 2024-08-07 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-190: Integer Overflow or Wraparound
CAPEC
References (42)
URL Tag Source
http://secunia.com/advisories/34367 Broken Link
http://secunia.com/advisories/34382 Broken Link
http://secunia.com/advisories/34400 Broken Link
http://secunia.com/advisories/34408 Broken Link
http://secunia.com/advisories/34418 Broken Link
http://secunia.com/advisories/34442 Broken Link
http://secunia.com/advisories/34450 Broken Link
http://secunia.com/advisories/34454 Broken Link
http://secunia.com/advisories/34463 Broken Link
http://secunia.com/advisories/34632 Broken Link
http://secunia.com/advisories/34675 Broken Link
http://secunia.com/advisories/34782 Broken Link
http://www.ocert.org/advisories/ocert-2009-003.html Third Party Advisory
http://www.securityfocus.com/archive/1/502018/100/0/threaded Mailing List
http://www.securityfocus.com/archive/1/502031/100/0/threaded Mailing List
http://www.securitytracker.com/id?1021869 Broken Link
http://www.vupen.com/english/advisories/2009/0775 Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/49326 Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11780 Signature
URL Date SRC
http://scary.beasts.org/security/CESA-2009-003.html 2024-08-07
http://scarybeastsecurity.blogspot.com/2009/03/littlecms-vulnerabilities.html 2024-08-07
URL Date SRC
http://www.securityfocus.com/bid/34185 2022-02-07
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html 2022-02-07
http://security.gentoo.org/glsa/glsa-200904-19.xml 2022-02-07
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.487438 2022-02-07
http://www.debian.org/security/2009/dsa-1745 2022-02-07
http://www.debian.org/security/2009/dsa-1769 2022-02-07
http://www.mandriva.com/security/advisories?name=MDVSA-2009:121 2022-02-07
http://www.mandriva.com/security/advisories?name=MDVSA-2009:137 2022-02-07
http://www.mandriva.com/security/advisories?name=MDVSA-2009:162 2022-02-07
http://www.redhat.com/support/errata/RHSA-2009-0339.html 2022-02-07
http://www.ubuntu.com/usn/USN-744-1 2022-02-07
https://bugzilla.redhat.com/show_bug.cgi?id=487508 2009-04-07
https://rhn.redhat.com/errata/RHSA-2009-0377.html 2022-02-07
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00794.html 2022-02-07
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00799.html 2022-02-07
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00811.html 2022-02-07
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00851.html 2022-02-07
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00856.html 2022-02-07
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00857.html 2022-02-07
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00921.html 2022-02-07
https://access.redhat.com/security/cve/CVE-2009-0723 2009-04-07
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Gimp
Search vendor "Gimp"
 Gimp
Search vendor "Gimp" for product "Gimp"
*-
Affected
Mozilla
Search vendor "Mozilla"
 Firefox
Search vendor "Mozilla" for product "Firefox"
 3.1
Search vendor "Mozilla" for product "Firefox" and version "3.1"
beta1
Affected
Sun
Search vendor "Sun"
 Openjdk
Search vendor "Sun" for product "Openjdk"
 <= 7
Search vendor "Sun" for product "Openjdk" and version " <= 7"
-
Affected
Littlecms
Search vendor "Littlecms"
 Little Cms
Search vendor "Littlecms" for product "Little Cms"
 <= 1.17
Search vendor "Littlecms" for product "Little Cms" and version " <= 1.17"
-
Affected