{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-37789", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-04T01:30:08.584Z", "dateReserved": "2021-08-02T00:00:00", "datePublished": "2022-11-02T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-31T00:00:00"}, "descriptions": [{"lang": "en", "value": "stb_image.h 2.27 has a heap-based buffer over in stbi__jpeg_load, leading to Information Disclosure or Denial of Service."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/nothings/stb/issues/1178"}, {"name": "[debian-lts-announce] 20230131 [SECURITY] [DLA 3305-1] libstb security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00045.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:30:08.584Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/nothings/stb/issues/1178", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230131 [SECURITY] [DLA 3305-1] libstb security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00045.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stb_project:stb:2.27:*:*:*:*:*:*:*", "matchCriteriaId": "4EE9CD8E-67B3-4D15-A7D3-FD54FEE21B79", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "stb_image.h 2.27 has a heap-based buffer over in stbi__jpeg_load, leading to Information Disclosure or Denial of Service."}, {"lang": "es", "value": "stb_image.h 2.27 tiene un b\u00fafer basado en mont\u00f3n en stbi__jpeg_load, lo que provoca divulgaci\u00f3n de informaci\u00f3n o denegaci\u00f3n de servicio."}], "id": "CVE-2021-37789", "lastModified": "2023-02-28T18:31:34.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-02T13:15:10.037", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/nothings/stb/issues/1178"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00045.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "stb_image: heap-based buffer overflow", "id": "2141433", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141433"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["stb_image.h 2.27 has a heap-based buffer over in stbi__jpeg_load, leading to Information Disclosure or Denial of Service.", "A flaw was found in stb_image. This issue occurs while processing the frame header information when the plane sampling configurations are calculated in two different ways, generating different results due to integer approximation. The value is further used to access several buffers, leading to a heap based out-of-bound read. This causes a heap data leak or an application crash, resulting in a denial of service."], "name": "CVE-2021-37789", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "clutter", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "cogl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "compat-cogl114", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "cogl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "cogl", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-11-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-37789\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-37789"], "statement": "Although the NVD CVSSv3.1 scoring point to a 8.1, Red Hat considers the impact to be Moderate as this flaw can not be used to perform arbitrary code execution, needs local access to be exploited, and the amount of leaked information is constrained to a few bytes within the process heap.", "threat_severity": "Moderate"}