{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-20298", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-03T17:37:23.785Z", "dateReserved": "2020-12-17T00:00:00", "datePublished": "2022-08-23T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2022-12-12T00:00:00"}, "descriptions": [{"lang": "en", "value": "A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability."}], "affected": [{"vendor": "n/a", "product": "OpenEXR", "versions": [{"version": "Fixed in OpenEXR 3.0.0-beta", "status": "affected"}]}], "references": [{"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913"}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/pull/843"}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939156"}, {"url": "https://access.redhat.com/security/cve/CVE-2021-20298"}, {"name": "[debian-lts-announce] 20221211 [SECURITY] [DLA 3236-1] openexr security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400 - Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:37:23.785Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913", "tags": ["x_transferred"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/pull/843", "tags": ["x_transferred"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939156", "tags": ["x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2021-20298", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20221211 [SECURITY] [DLA 3236-1] openexr security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AA57D0D-80D4-442D-8686-698527811EA4", "versionEndIncluding": "2.5.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability."}, {"lang": "es", "value": "Se ha encontrado un fallo en B44Compressor de OpenEXR. Este fallo permite a un atacante que puede enviar un archivo dise\u00f1ado para ser procesado por OpenEXR, agotar toda la memoria accesible a la aplicaci\u00f3n. La mayor amenaza de esta vulnerabilidad es la disponibilidad del sistema."}], "id": "CVE-2021-20298", "lastModified": "2022-12-13T02:24:50.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-23T16:15:09.020", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2021-20298"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939156"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/AcademySoftwareFoundation/openexr/pull/843"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "OpenEXR: Out-of-memory in B44Compressor", "id": "1939156", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939156"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.", "A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability."], "name": "CVE-2021-20298", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "OpenEXR", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "OpenEXR", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "gimp:flatpak/OpenEXR", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "OpenEXR", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2021-02-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-20298\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20298"], "threat_severity": "Low", "upstream_fix": "OpenEXR 3.0.0-beta"}