Details of VAR-202004-0473

ID

VAR-202004-0473

CVE

CVE-2020-11763

TITLE

OpenEXR Out-of-bounds read vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-004073

DESCRIPTION

An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. A buffer error vulnerability exists in the ImfTileOffsets.cpp file in LIM OpenEXR versions prior to 2.4.1. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenEXR: Multiple vulnerabilities Date: July 11, 2021 Bugs: #717474, #746794, #762862, #770229, #776808 ID: 202107-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in OpenEXR, the worst of which could result in the arbitrary execution of code. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/openexr < 2.5.6 >= 2.5.6 Description =========== Multiple vulnerabilities have been discovered in OpenEXR. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All OpenEXR users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/openexr-2.5.6" References ========== [ 1 ] CVE-2020-11758 https://nvd.nist.gov/vuln/detail/CVE-2020-11758 [ 2 ] CVE-2020-11759 https://nvd.nist.gov/vuln/detail/CVE-2020-11759 [ 3 ] CVE-2020-11760 https://nvd.nist.gov/vuln/detail/CVE-2020-11760 [ 4 ] CVE-2020-11761 https://nvd.nist.gov/vuln/detail/CVE-2020-11761 [ 5 ] CVE-2020-11762 https://nvd.nist.gov/vuln/detail/CVE-2020-11762 [ 6 ] CVE-2020-11763 https://nvd.nist.gov/vuln/detail/CVE-2020-11763 [ 7 ] CVE-2020-11764 https://nvd.nist.gov/vuln/detail/CVE-2020-11764 [ 8 ] CVE-2020-11765 https://nvd.nist.gov/vuln/detail/CVE-2020-11765 [ 9 ] CVE-2020-15304 https://nvd.nist.gov/vuln/detail/CVE-2020-15304 [ 10 ] CVE-2020-15305 https://nvd.nist.gov/vuln/detail/CVE-2020-15305 [ 11 ] CVE-2020-15306 https://nvd.nist.gov/vuln/detail/CVE-2020-15306 [ 12 ] CVE-2021-20296 https://nvd.nist.gov/vuln/detail/CVE-2021-20296 [ 13 ] CVE-2021-3474 https://nvd.nist.gov/vuln/detail/CVE-2021-3474 [ 14 ] CVE-2021-3475 https://nvd.nist.gov/vuln/detail/CVE-2021-3475 [ 15 ] CVE-2021-3476 https://nvd.nist.gov/vuln/detail/CVE-2021-3476 [ 16 ] CVE-2021-3477 https://nvd.nist.gov/vuln/detail/CVE-2021-3477 [ 17 ] CVE-2021-3478 https://nvd.nist.gov/vuln/detail/CVE-2021-3478 [ 18 ] CVE-2021-3479 https://nvd.nist.gov/vuln/detail/CVE-2021-3479 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202107-27 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenEXR security update Advisory ID: RHSA-2020:4039-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4039 Issue date: 2020-09-29 CVE Names: CVE-2020-11761 CVE-2020-11763 CVE-2020-11764 ==================================================================== 1. Summary: An update for OpenEXR is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux Client (v. 7): Source: OpenEXR-1.7.1-8.el7.src.rpm x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: OpenEXR-1.7.1-8.el7.src.rpm x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: OpenEXR-1.7.1-8.el7.src.rpm ppc64: OpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm OpenEXR-libs-1.7.1-8.el7.ppc.rpm OpenEXR-libs-1.7.1-8.el7.ppc64.rpm ppc64le: OpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm OpenEXR-libs-1.7.1-8.el7.ppc64le.rpm s390x: OpenEXR-debuginfo-1.7.1-8.el7.s390.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm OpenEXR-libs-1.7.1-8.el7.s390.rpm OpenEXR-libs-1.7.1-8.el7.s390x.rpm x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: OpenEXR-1.7.1-8.el7.ppc64.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm OpenEXR-devel-1.7.1-8.el7.ppc.rpm OpenEXR-devel-1.7.1-8.el7.ppc64.rpm ppc64le: OpenEXR-1.7.1-8.el7.ppc64le.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm OpenEXR-devel-1.7.1-8.el7.ppc64le.rpm s390x: OpenEXR-1.7.1-8.el7.s390x.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm OpenEXR-devel-1.7.1-8.el7.s390.rpm OpenEXR-devel-1.7.1-8.el7.s390x.rpm x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: OpenEXR-1.7.1-8.el7.src.rpm x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-11761 https://access.redhat.com/security/cve/CVE-2020-11763 https://access.redhat.com/security/cve/CVE-2020-11764 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3OhUtzjgjWX9erEAQhyFQ/+J5Ul3SoJTvzk/7rqW/WA4GkT5/I6owm1 BnhvO6tELbBul8250MCo/jaUukdjQ3bJ/ZdjmPFrPgNR7UrmIN0LQdAiDlMtnhIF 7Ppw7RDniUBtv3Q2471W4FQxpeXKf+n5sqkq+blxZbeYLXI7Nya/2qKirO0dJ4M1 bAl1exBJ4cSp+kuUOn8oBsGQi6L2oM6ldPf4KklMswOU69qDexywZNtvQVfANmur mNIx/9bmQG+WRlj941A1BFTsAdXsCyTc3qaBecC5iEFxKPkVlpfBhQJ+N6zxdKwj CtVftLiGpcuiWck6THkpPbQg9HWqtJI3tQyW5NUZFHhUnwvOw3SGKgN3ufsnS/tF 9MsnwovV+6kuR/k1UWiDXuSZrdjEIOSz0We8oT5VhOKNkXcE0OY4yxLKpVTlP1HN aM2OGkf3DiUdKEysSQ7yPa2tfimLYQS/XJo6w4FZPKapmOvF926/R7NgIIucvG4J U51DVzqGpkt40pK790wQLrwUZ/E+HYyeZpPJC8QrmJmPNXsXFEm4iYxjCIyaecKf hOlBFwy7mU6fuOLynrrfxeStoS0+zJFfYqdiKOfTpRoLozBqaA8Vt8VasOfOwGeY Ar+nuTxwoQn3KCSGvHk533UkNyqKqpNDIfyqk3M8y8S5HjXvoMx9zxaN0ujT4/pB vySbS8H4PEI=P3yT -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . For the stable distribution (buster), these problems have been fixed in version 2.2.1-4.1+deb10u1. We recommend that you upgrade your openexr packages. For the detailed security status of openexr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openexr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkM8ACgkQEMKTtsN8 TjYiCxAAqny8A+WbtYBonQ42ciQ2Hc1f90CI6l1Gp/ZK7RARL7+cLOHTh+hEniIG G6cwDGAwAgOtNPer+bT8Mwx6gF8bTii3nF5MMhiN22L7buzHruxsqpC+g94MeZHW vn6GpkTCPSHW5m4+O3pwrYDK3lr5ucNwPVegcXqtJuG0SrhY9VyTrtmzwtoP0YVx ANOpJhCLNEU5vIdEpzIfdjAoM6nsGG/FDN5sP2B9sEB69s7dQXAX5ksuu4Rg71bo W7OjAWB+1MIuFT2blax4Z0qD9Nuiy252AM9MAzMmdBPsFnix0/E2lmyd2OGknUkY l+sq61TR7pA7AVbtLpLBy2fKFS/Jj1KTFI6J+GmZiOBGAzHrWevjyclYBRI0exVg zKnI2IdO9f0qdeTiZhtAcSEV8hb1mSoo0fPRM0ZGxdMV0MTNeOmj+doTTw+SlSJK 3iyKUDgRy60JjQMq8gBaPSRl6tuTjEdFzbJLsFPvZVY5vQsy4KIuh024RrEjri0c R2oLvboIS2xddK+T/9NPc15vruZiUut0j/3EsBqbDn3hBXMpQb0NFv0kuC+uvmwZ UgxRA32shnjcUES8+TBqeB+cvMnukTlOfqQEY2VNhG//45gcQH6rEcf45W07XTGD djd3v06+rkeUhfuZHL9OAOj2BowTrp9CRooWT1dufPPUkL1aoUY= =FDcC -----END PGP SIGNATURE-----

Trust: 2.61

sources: NVD: CVE-2020-11763 // JVNDB: JVNDB-2020-004073 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-164374 // VULMON: CVE-2020-11763 // PACKETSTORM: 163465 // PACKETSTORM: 159359 // PACKETSTORM: 168903

AFFECTED PRODUCTS

vendor:	apple	model:	itunes	scope:	lt	version:	12.10.8	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	10.0	Trust: 1.0
vendor:	apple	model:	icloud	scope:	lt	version:	7.20	Trust: 1.0
vendor:	apple	model:	tvos	scope:	lt	version:	13.4.8	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	lt	version:	10.15.6	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	18.04	Trust: 1.0
vendor:	openexr	model:	openexr	scope:	lt	version:	2.4.1	Trust: 1.0
vendor:	apple	model:	iphone os	scope:	lt	version:	13.6	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	lt	version:	10.14.6	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	16.04	Trust: 1.0
vendor:	apple	model:	ipados	scope:	lt	version:	13.6	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	gte	version:	10.15	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	lt	version:	10.13.6	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.14.6	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	gte	version:	10.14.0	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	20.04	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	eq	version:	10.13.6	Trust: 1.0
vendor:	apple	model:	mac os x	scope:	gte	version:	10.13.0	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	19.10	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	32	Trust: 1.0
vendor:	apple	model:	icloud	scope:	gte	version:	10.0	Trust: 1.0
vendor:	opensuse	model:	leap	scope:	eq	version:	15.1	Trust: 1.0
vendor:	apple	model:	watchos	scope:	lt	version:	6.2.8	Trust: 1.0
vendor:	apple	model:	icloud	scope:	lt	version:	11.3	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	openexr	model:	openexr	scope:	eq	version:	2.4.1	Trust: 0.8
vendor:	openexr	model:	openexr	scope:	eq	version:	1.0.4	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	1.0.7	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	1.1.0	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	1.1.1	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	1.2.1	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	1.2.2	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	1.3.0	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	1.3.1	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	1.3.2	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	1.4.0	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	1.7.0	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	1.7.1	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	2.0.0	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	2.0.1	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	2.1.0	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	2.2.0	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	2.2.1	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	2.3.0	Trust: 0.1
vendor:	openexr	model:	openexr	scope:	eq	version:	2.4.0	Trust: 0.1

sources: VULMON: CVE-2020-11763 // JVNDB: JVNDB-2020-004073 // NVD: CVE-2020-11763

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-11763
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-004073
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202004-959
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-164374
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2020-11763
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-11763
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	JVNDB-2020-004073
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-164374
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-11763
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-004073
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-164374 // VULMON: CVE-2020-11763 // JVNDB: JVNDB-2020-004073 // CNNVD: CNNVD-202004-959 // CNNVD: CNNVD-202104-975 // NVD: CVE-2020-11763

PROBLEMTYPE DATA

problemtype:	CWE-125	Trust: 1.9
problemtype:	CWE-787	Trust: 1.9

sources: VULHUB: VHN-164374 // JVNDB: JVNDB-2020-004073 // NVD: CVE-2020-11763

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202004-959

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202004-959

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-004073

PATCH

title:	OpenEXR Release Notes	url:	https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-241-february-11-2020	Trust: 0.8
title:	AcademySoftwareFoundation/openexr	url:	https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.1	Trust: 0.8
title:	Industrial Light and Magic OpenEXR Buffer error vulnerability fix	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=116441	Trust: 0.6
title:	Debian CVElist Bug Report Logs: openexr: CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=c611c9f78ad3458919de1d9728e6b32b	Trust: 0.1
title:	Ubuntu Security Notice: openexr vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4339-1	Trust: 0.1

sources: VULMON: CVE-2020-11763 // JVNDB: JVNDB-2020-004073 // CNNVD: CNNVD-202004-959

EXTERNAL IDS

db:	NVD	id:	CVE-2020-11763	Trust: 2.9
db:	PACKETSTORM	id:	163465	Trust: 0.8
db:	PACKETSTORM	id:	159359	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-004073	Trust: 0.8
db:	CNNVD	id:	CNNVD-202004-959	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.2985	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1448	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1816	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3401	Trust: 0.6
db:	CS-HELP	id:	SB2021071101	Trust: 0.6
db:	NSFOCUS	id:	50015	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CNVD	id:	CNVD-2020-24156	Trust: 0.1
db:	VULHUB	id:	VHN-164374	Trust: 0.1
db:	VULMON	id:	CVE-2020-11763	Trust: 0.1
db:	PACKETSTORM	id:	168903	Trust: 0.1

sources: VULHUB: VHN-164374 // VULMON: CVE-2020-11763 // JVNDB: JVNDB-2020-004073 // PACKETSTORM: 163465 // PACKETSTORM: 159359 // PACKETSTORM: 168903 // CNNVD: CNNVD-202004-959 // CNNVD: CNNVD-202104-975 // NVD: CVE-2020-11763

REFERENCES

url:	https://usn.ubuntu.com/4339-1/	Trust: 1.9
url:	https://security.gentoo.org/glsa/202107-27	Trust: 1.8
url:	https://bugs.chromium.org/p/project-zero/issues/detail?id=1987	Trust: 1.8
url:	https://github.com/academysoftwarefoundation/openexr/blob/master/changes.md#version-241-february-11-2020	Trust: 1.8
url:	https://github.com/academysoftwarefoundation/openexr/releases/tag/v2.4.1	Trust: 1.8
url:	https://support.apple.com/kb/ht211288	Trust: 1.7
url:	https://support.apple.com/kb/ht211289	Trust: 1.7
url:	https://support.apple.com/kb/ht211290	Trust: 1.7
url:	https://support.apple.com/kb/ht211291	Trust: 1.7
url:	https://support.apple.com/kb/ht211293	Trust: 1.7
url:	https://support.apple.com/kb/ht211294	Trust: 1.7
url:	https://support.apple.com/kb/ht211295	Trust: 1.7
url:	https://www.debian.org/security/2020/dsa-4755	Trust: 1.7
url:	https://lists.debian.org/debian-lts-announce/2020/08/msg00056.html	Trust: 1.7
url:	http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00051.html	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11763	Trust: 1.7
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/f4kfgdqg5pvyau7ts5mz7xcs6empvii3/	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11763	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.2985/	Trust: 0.6
url:	https://support.apple.com/en-us/ht211291	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1448/	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/50015	Trust: 0.6
url:	https://support.apple.com/en-us/ht211295	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1816/	Trust: 0.6
url:	https://packetstormsecurity.com/files/163465/gentoo-linux-security-advisory-202107-27.html	Trust: 0.6
url:	https://packetstormsecurity.com/files/159359/red-hat-security-advisory-2020-4039-01.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3401/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/openexr-multiple-vulnerabilities-32108	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021071101	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11761	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11764	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15305	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11765	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11758	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15306	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11762	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11759	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11760	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/787.html	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/125.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959444	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-3476	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-3478	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-20296	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-3479	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15304	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-3474	Trust: 0.1
url:	https://security.gentoo.org/	Trust: 0.1
url:	https://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-3475	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-3477	Trust: 0.1
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-11764	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:4039	Trust: 0.1
url:	https://access.redhat.com/articles/11258	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-11763	Trust: 0.1
url:	https://bugzilla.redhat.com/):	Trust: 0.1
url:	https://access.redhat.com/security/team/key/	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-11761	Trust: 0.1
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.1
url:	https://access.redhat.com/security/team/contact/	Trust: 0.1
url:	https://security-tracker.debian.org/tracker/openexr	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9115	Trust: 0.1
url:	https://www.debian.org/security/faq	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9113	Trust: 0.1
url:	https://www.debian.org/security/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9111	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9114	Trust: 0.1

CREDITS

Red Hat

Trust: 0.7

sources: PACKETSTORM: 159359 // CNNVD: CNNVD-202004-959

SOURCES

db:	VULHUB	id:	VHN-164374
db:	VULMON	id:	CVE-2020-11763
db:	JVNDB	id:	JVNDB-2020-004073
db:	PACKETSTORM	id:	163465
db:	PACKETSTORM	id:	159359
db:	PACKETSTORM	id:	168903
db:	CNNVD	id:	CNNVD-202004-959
db:	CNNVD	id:	CNNVD-202104-975
db:	NVD	id:	CVE-2020-11763

LAST UPDATE DATE

2024-11-23T20:20:58.916000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-164374	date:	2023-01-09T00:00:00
db:	VULMON	id:	CVE-2020-11763	date:	2020-09-09T00:00:00
db:	JVNDB	id:	JVNDB-2020-004073	date:	2020-05-07T00:00:00
db:	CNNVD	id:	CNNVD-202004-959	date:	2022-11-17T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	NVD	id:	CVE-2020-11763	date:	2024-11-21T04:58:33.477

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-164374	date:	2020-04-14T00:00:00
db:	VULMON	id:	CVE-2020-11763	date:	2020-04-14T00:00:00
db:	JVNDB	id:	JVNDB-2020-004073	date:	2020-05-07T00:00:00
db:	PACKETSTORM	id:	163465	date:	2021-07-12T15:22:22
db:	PACKETSTORM	id:	159359	date:	2020-09-30T15:45:11
db:	PACKETSTORM	id:	168903	date:	2020-08-28T19:12:00
db:	CNNVD	id:	CNNVD-202004-959	date:	2020-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	NVD	id:	CVE-2020-11763	date:	2020-04-14T23:15:12.433