QwikSec

Security Database

CVE

CWE

Training

CVE-2022-3597

Published: Oct 21, 2022

Modified: May 7, 2025

PUBLISHED

CVSS v3.1

5.5

MEDIUM

Description

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.

Vendor	Product	Versions
libtiff	libtiff	affected `<=4.4.0`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047

https://gitlab.com/libtiff/libtiff/-/issues/413

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3597.json

https://security.netapp.com/advisory/ntap-20230110-0001/

[debian-lts-announce] 20230120 [SECURITY] [DLA 3278-1] tiff security update

mailing-list

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.