CVE-2022-1441

Exploit

EPSS 0.14%
Published 25.04.2022 17:15:36
Last modified 21.11.2024 06:40:44
Source secalert@redhat.com
Teams watchlist Login
Open Login

MP4Box is a component of GPAC-2.0.0, which is a widely-used third-party package on RPM Fusion. When MP4Box tries to parse a MP4 file, it calls the function `diST_box_read()` to read from video. In this function, it allocates a buffer `str` with fixed length. However, content read from `bs` is controllable by user, so is the length, which causes a buffer overflow.

Affected products Warnungen 0 Metrics 3 CWE 2 References 6

Data is provided by the National Vulnerability Database (NVD)

Gpac ≫ Gpac Version2.0.0

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.14%	0.342

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://www.debian.org/security/2023/dsa-5411

Third Party Advisory

https://github.com/gpac/gpac/commit/3dbe11b37d65c8472faf0654410068e5500b3adb

Patch

Third Party Advisory

https://github.com/gpac/gpac/issues/2175

Third Party Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2022-1441

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-1441

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-1441

EUVD