OpenCVE

An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Libsdl	Sdl Image

Configuration 1 [-]

cpe:2.3:a:libsdl:sdl_image:2.0.2:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

No data.

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2018/04/msg00005.html
https://security.gentoo.org/glsa/201903-17
https://www.debian.org/security/2018/dsa-4177
https://www.debian.org/security/2018/dsa-4184
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0489

History

No history.

MITRE

Status: PUBLISHED

Assigner: talos

Published: 2018-04-24T19:00:00Z

Updated: 2024-09-17T02:31:14.654Z

Reserved: 2017-09-13T00:00:00

Link: CVE-2017-14440

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-04-24T19:29:01.627

Modified: 2024-11-21T03:12:47.967

Link: CVE-2017-14440

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Simple DirectMedia Layer", "vendor": "Sam Lantinga and Mattias Engdeg\u00e5rd", "versions": [{"status": "affected", "version": "SDL2_image 2.0.2"}]}], "datePublic": "2018-03-01T00:00:00", "descriptions": [{"lang": "en", "value": "An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "remote code execution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T18:20:45", "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos"}, "references": [{"name": "DSA-4177", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4177"}, {"name": "[debian-lts-announce] 20180406 [SECURITY] [DLA 1341-1] sdl-image1.2 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00005.html"}, {"name": "DSA-4184", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4184"}, {"name": "GLSA-201903-17", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201903-17"}, {"tags": ["x_refsource_MISC"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0489"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "talos-cna@cisco.com", "DATE_PUBLIC": "2018-03-01T00:00:00", "ID": "CVE-2017-14440", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Simple DirectMedia Layer", "version": {"version_data": [{"version_value": "SDL2_image 2.0.2"}]}}]}, "vendor_name": "Sam Lantinga and Mattias Engdeg\u00e5rd"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability."}]}, "impact": {"cvss": {"baseScore": 8.8, "baseSeverity": "High", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "remote code execution"}]}]}, "references": {"reference_data": [{"name": "DSA-4177", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4177"}, {"name": "[debian-lts-announce] 20180406 [SECURITY] [DLA 1341-1] sdl-image1.2 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00005.html"}, {"name": "DSA-4184", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4184"}, {"name": "GLSA-201903-17", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201903-17"}, {"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0489", "refsource": "MISC", "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0489"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T19:27:40.516Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-4177", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4177"}, {"name": "[debian-lts-announce] 20180406 [SECURITY] [DLA 1341-1] sdl-image1.2 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00005.html"}, {"name": "DSA-4184", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4184"}, {"name": "GLSA-201903-17", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201903-17"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0489"}]}]}, "cveMetadata": {"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "assignerShortName": "talos", "cveId": "CVE-2017-14440", "datePublished": "2018-04-24T19:00:00Z", "dateReserved": "2017-09-13T00:00:00", "dateUpdated": "2024-09-17T02:31:14.654Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libsdl:sdl_image:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "8ACCFE82-277E-4B12-8BD4-C7B8FBFB37BD", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability."}, {"lang": "es", "value": "Existe una vulnerabilidad explotable de ejecuci\u00f3n de c\u00f3digo en la funcionalidad de renderizaci\u00f3n de im\u00e1genes ILBM de SDL2_image-2.0.2. Un paquete de red especialmente manipulado puede provocar un desbordamiento de pila que resulta en la ejecuci\u00f3n de c\u00f3digo. Un atacante puede mostrar una imagen especialmente manipulada para provocar esta vulnerabilidad."}], "id": "CVE-2017-14440", "lastModified": "2024-11-21T03:12:47.967", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "talos-cna@cisco.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-04-24T19:29:01.627", "references": [{"source": "talos-cna@cisco.com", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00005.html"}, {"source": "talos-cna@cisco.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201903-17"}, {"source": "talos-cna@cisco.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4177"}, {"source": "talos-cna@cisco.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4184"}, {"source": "talos-cna@cisco.com", "tags": ["Third Party Advisory"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0489"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201903-17"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4177"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4184"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0489"}], "sourceIdentifier": "talos-cna@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}