CVE-2009-1721

Severity Score

6.8

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The decompression implementation in the Imf::hufUncompress function in OpenEXR 1.2.2 and 1.6.1 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger a free of an uninitialized pointer.

La implementación de la descompresión en la función Imf::hufUncompress en OpenEXR v1.2.2 y v1.6.1 permite a los atacantes dependientes del contexto provocar una denegación de servicio (finalización de la aplicación) o posiblemente ejecutar código de su elección mediante vectores que provocan una estructura de punteros no inicializados.

*Credits: N/A

CVSS Scores

NISTv2 6.8

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-05-20 CVE Reserved
2009-07-28 CVE Published
2024-07-07 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-824: Access of Uninitialized Pointer

CAPEC

References (22)

URL	Tag	Source
http://secunia.com/advisories/36096	Broken Link
http://secunia.com/advisories/36123	Broken Link
http://secunia.com/advisories/36753	Broken Link
http://support.apple.com/kb/HT3757	Third Party Advisory
http://www.securitytracker.com/id?1022674	Broken Link
http://www.us-cert.gov/cas/techalerts/TA09-218A.html	Third Party Advisory
http://www.vupen.com/english/advisories/2009/2172	Broken Link

URL	Date	SRC

URL	Date	SRC
http://release.debian.org/proposed-updates/stable_diffs/openexr_1.6.1-3%2Blenny3.debdiff	2024-02-09
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.2.2-4.3+etch2.diff.gz	2024-02-09
http://security.debian.org/pool/updates/main/o/openexr/openexr_1.6.1-3+lenny3.diff.gz	2024-02-09
http://www.securityfocus.com/bid/35838	2024-02-09

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2009/Aug/msg00001.html	2024-02-09
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00000.html	2024-02-09
http://secunia.com/advisories/36030	2024-02-09
http://secunia.com/advisories/36032	2024-02-09
http://www.debian.org/security/2009/dsa-1842	2024-02-09
http://www.mandriva.com/security/advisories?name=MDVSA-2009:190	2024-02-09
http://www.mandriva.com/security/advisories?name=MDVSA-2009:191	2024-02-09
http://www.ubuntu.com/usn/USN-831-1	2024-02-09
http://www.vupen.com/english/advisories/2009/2035	2024-02-09
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01286.html	2024-02-09
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01290.html	2024-02-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openexr Search vendor "Openexr"		Openexr Search vendor "Openexr" for product "Openexr"				1.2.2 Search vendor "Openexr" for product "Openexr" and version "1.2.2"		-		Affected
Openexr Search vendor "Openexr"		Openexr Search vendor "Openexr" for product "Openexr"				1.6.1 Search vendor "Openexr" for product "Openexr" and version "1.6.1"		-		Affected
Opensuse Search vendor "Opensuse"		Opensuse Search vendor "Opensuse" for product "Opensuse"				10.0 Search vendor "Opensuse" for product "Opensuse" and version "10.0"		-		Affected
Opensuse Search vendor "Opensuse"		Opensuse Search vendor "Opensuse" for product "Opensuse"				10.3 Search vendor "Opensuse" for product "Opensuse" and version "10.3"		-		Affected
Opensuse Search vendor "Opensuse"		Opensuse Search vendor "Opensuse" for product "Opensuse"				11.0 Search vendor "Opensuse" for product "Opensuse" and version "11.0"		-		Affected
Apple Search vendor "Apple"		Mac Os X Search vendor "Apple" for product "Mac Os X"				< 10.5.8 Search vendor "Apple" for product "Mac Os X" and version " < 10.5.8"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				4.0 Search vendor "Debian" for product "Debian Linux" and version "4.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				5.0 Search vendor "Debian" for product "Debian Linux" and version "5.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				8.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				8.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				9.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "9.04"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				10 Search vendor "Fedoraproject" for product "Fedora" and version "10"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				11 Search vendor "Fedoraproject" for product "Fedora" and version "11"		-		Affected