{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-48424", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-28T17:54:22.076Z", "dateReserved": "2024-10-08T00:00:00", "datePublished": "2024-10-24T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-10-24T20:56:27.505532"}, "descriptions": [{"lang": "en", "value": "A heap-buffer-overflow vulnerability has been identified in the OpenDDLParser::parseStructure function within the Assimp library, specifically during the processing of OpenGEX files."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/assimp/assimp/issues/5787"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-120", "lang": "en", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "affected": [{"vendor": "assimp", "product": "assimp", "cpes": ["cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.4.3", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-28T17:49:53.415993Z", "id": "CVE-2024-48424", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-28T17:54:22.076Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-48424", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-28T17:49:53.415993Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*"], "vendor": "assimp", "product": "assimp", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.4.3"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-28T17:54:16.231Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/assimp/assimp/issues/5787"}], "descriptions": [{"lang": "en", "value": "A heap-buffer-overflow vulnerability has been identified in the OpenDDLParser::parseStructure function within the Assimp library, specifically during the processing of OpenGEX files."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-10-24T20:56:27.505532"}}}, "cveMetadata": {"cveId": "CVE-2024-48424", "state": "PUBLISHED", "dateUpdated": "2024-10-28T17:54:22.076Z", "dateReserved": "2024-10-08T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-10-24T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A heap-buffer-overflow vulnerability has been identified in the OpenDDLParser::parseStructure function within the Assimp library, specifically during the processing of OpenGEX files."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de desbordamiento de b\u00fafer de mont\u00f3n en la funci\u00f3n OpenDDLParser::parseStructure dentro de la librer\u00eda Assimp, espec\u00edficamente durante el procesamiento de archivos OpenGEX."}], "id": "CVE-2024-48424", "lastModified": "2024-10-28T18:35:03.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-10-24T21:15:14.223", "references": [{"source": "cve@mitre.org", "url": "https://github.com/assimp/assimp/issues/5787"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "assimp: heap-buffer-overflow in OpenDDLParser::parseStructure", "id": "2321628", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2321628"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-122", "details": ["A heap-buffer-overflow vulnerability has been identified in the OpenDDLParser::parseStructure function within the Assimp library, specifically during the processing of OpenGEX files.", "A flaw was found in the Assimp asset import library. An attacker my be able to trigger a buffer overflow condition via specially-crafted OpenGEX files. This may lead to a denial of service or other unexpected behavior."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-48424", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "qt5-qt3d", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-48424\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-48424\nhttps://github.com/assimp/assimp/issues/5787"], "statement": "The heap-buffer-overflow vulnerability in the Assimp library is classified as moderate because, while it can cause memory corruption or application crashes, it does not inherently lead to arbitrary code execution or privilege escalation. Exploitation requires a crafted OpenGEX file, limiting the attack surface to scenarios where untrusted files are processed by the affected function.\nIt's important to note that this vulnerability does not impact any Red Hat products, indicating that Red Hat's software stack is unaffected by this specific CVE.", "threat_severity": "Moderate"}