ID

VAR-202205-0743


CVE

CVE-2022-1622


TITLE

LibTIFF  Out-of-bounds read vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-011453

DESCRIPTION

LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa. LibTIFF Exists in an out-of-bounds read vulnerability.Service operation interruption (DoS) It may be in a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202210-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: LibTIFF: Multiple Vulnerabilities Date: October 31, 2022 Bugs: #830981, #837560 ID: 202210-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in LibTIFF, the worst of which could result in denial of service. Background ========== LibTIFF provides support for reading and manipulating TIFF (Tagged Image File Format) images. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/tiff < 4.4.0 >= 4.4.0 Description =========== Multiple vulnerabilities have been discovered in LibTIFF. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All LibTIFF users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/tiff-4.4.0" References ========== [ 1 ] CVE-2022-0561 https://nvd.nist.gov/vuln/detail/CVE-2022-0561 [ 2 ] CVE-2022-0562 https://nvd.nist.gov/vuln/detail/CVE-2022-0562 [ 3 ] CVE-2022-0865 https://nvd.nist.gov/vuln/detail/CVE-2022-0865 [ 4 ] CVE-2022-0891 https://nvd.nist.gov/vuln/detail/CVE-2022-0891 [ 5 ] CVE-2022-0907 https://nvd.nist.gov/vuln/detail/CVE-2022-0907 [ 6 ] CVE-2022-0908 https://nvd.nist.gov/vuln/detail/CVE-2022-0908 [ 7 ] CVE-2022-0909 https://nvd.nist.gov/vuln/detail/CVE-2022-0909 [ 8 ] CVE-2022-0924 https://nvd.nist.gov/vuln/detail/CVE-2022-0924 [ 9 ] CVE-2022-1056 https://nvd.nist.gov/vuln/detail/CVE-2022-1056 [ 10 ] CVE-2022-1210 https://nvd.nist.gov/vuln/detail/CVE-2022-1210 [ 11 ] CVE-2022-1354 https://nvd.nist.gov/vuln/detail/CVE-2022-1354 [ 12 ] CVE-2022-1355 https://nvd.nist.gov/vuln/detail/CVE-2022-1355 [ 13 ] CVE-2022-1622 https://nvd.nist.gov/vuln/detail/CVE-2022-1622 [ 14 ] CVE-2022-1623 https://nvd.nist.gov/vuln/detail/CVE-2022-1623 [ 15 ] CVE-2022-22844 https://nvd.nist.gov/vuln/detail/CVE-2022-22844 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202210-10 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-10-27-3 Additional information for APPLE-SA-2022-09-12-1 iOS 16 iOS 16 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213446. Accelerate Framework Available for: iPhone 8 and later Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A memory consumption issue was addressed with improved memory handling. CVE-2022-42795: ryuzaki Entry added October 27, 2022 AppleAVD Available for: iPhone 8 and later Impact: An app may be able to cause a denial-of-service Description: A memory corruption issue was addressed with improved state management. CVE-2022-32827: Antonio Zekic (@antoniozekic), Natalie Silvanovich of Google Project Zero, and an anonymous researcher Entry added October 27, 2022 AppleAVD Available for: iPhone 8 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: This issue was addressed with improved checks. CVE-2022-32907: Natalie Silvanovich of Google Project Zero, Antonio Zekic (@antoniozekic) and John Aakerblom (@jaakerblom), ABC Research s.r.o, Yinyi Wu, Tommaso Bianco (@cutesmilee__) Entry added October 27, 2022 Apple Neural Engine Available for: iPhone 8 and later Impact: An app may be able to leak sensitive kernel state Description: The issue was addressed with improved memory handling. CVE-2022-32858: Mohamed Ghannam (@_simo36) Entry added October 27, 2022 Apple Neural Engine Available for: iPhone 8 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-32898: Mohamed Ghannam (@_simo36) CVE-2022-32899: Mohamed Ghannam (@_simo36) CVE-2022-32889: Mohamed Ghannam (@_simo36) Entry added October 27, 2022 Apple TV Available for: iPhone 8 and later Impact: An app may be able to access user-sensitive data Description: The issue was addressed with improved handling of caches. CVE-2022-32909: Csaba Fitzl (@theevilbit) of Offensive Security Entry added October 27, 2022 Contacts Available for: iPhone 8 and later Impact: An app may be able to bypass Privacy preferences Description: This issue was addressed with improved checks. CVE-2022-32854: Holger Fuhrmannek of Deutsche Telekom Security Crash Reporter Available for: iPhone 8 and later Impact: A user with physical access to an iOS device may be able to read past diagnostic logs Description: This issue was addressed with improved data protection. CVE-2022-32867: Kshitij Kumar and Jai Musunuri of Crowdstrike Entry added October 27, 2022 DriverKit Available for: iPhone 8 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-32865: Linus Henze of Pinauten GmbH (pinauten.de) Entry added October 27, 2022 Exchange Available for: iPhone 8 and later Impact: A user in a privileged network position may be able to intercept mail credentials Description: A logic issue was addressed with improved restrictions. CVE-2022-32928: an anonymous researcher Entry added October 27, 2022 GPU Drivers Available for: iPhone 8 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2022-26744: an anonymous researcher Entry added October 27, 2022 GPU Drivers Available for: iPhone 8 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2022-32903: an anonymous researcher Entry added October 27, 2022 ImageIO Available for: iPhone 8 and later Impact: Processing an image may lead to a denial-of-service Description: A denial-of-service issue was addressed with improved validation. CVE-2022-1622 Entry added October 27, 2022 Image Processing Available for: iPhone 8 and later Impact: A sandboxed app may be able to determine which app is currently using the camera Description: The issue was addressed with additional restrictions on the observability of app states. CVE-2022-32913: Yiğit Can YILMAZ (@yilmazcanyigit) Entry added October 27, 2022 IOGPUFamily Available for: iPhone 8 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-32887: an anonymous researcher Entry added October 27, 2022 Kernel Available for: iPhone 8 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2022-32914: Zweig of Kunlun Lab Entry added October 27, 2022 Kernel Available for: iPhone 8 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-32866: Linus Henze of Pinauten GmbH (pinauten.de) CVE-2022-32911: Zweig of Kunlun Lab Entry updated October 27, 2022 Kernel Available for: iPhone 8 and later Impact: An app may be able to disclose kernel memory Description: The issue was addressed with improved memory handling. CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de) Kernel Available for: iPhone 8 and later Impact: An application may be able to execute arbitrary code with kernel privileges. Description: The issue was addressed with improved bounds checks. CVE-2022-32917: an anonymous researcher Maps Available for: iPhone 8 and later Impact: An app may be able to read sensitive location information Description: A logic issue was addressed with improved restrictions. CVE-2022-32883: Ron Masas, breakpointhq.com MediaLibrary Available for: iPhone 8 and later Impact: A user may be able to elevate privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2022-32908: an anonymous researcher Notifications Available for: iPhone 8 and later Impact: A user with physical access to a device may be able to access contacts from the lock screen Description: A logic issue was addressed with improved state management. CVE-2022-32879: Ubeydullah Sümer Entry added October 27, 2022 Photos Available for: iPhone 8 and later Impact: An app may be able to bypass Privacy preferences Description: This issue was addressed with improved data protection. CVE-2022-32918: an anonymous researcher, Jugal Goradia of Aastha Technologies, Srijan Shivam Mishra of The Hack Report, Evan Ricafort (evanricafort.com) of Invalid Web Security, Amod Raghunath Patwardhan of Pune, India, Ashwani Rajput of Nagarro Software Pvt. Ltd Entry added October 27, 2022 Safari Available for: iPhone 8 and later Impact: Visiting a malicious website may lead to address bar spoofing Description: This issue was addressed with improved checks. CVE-2022-32795: Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) @imnarendrabhati Safari Extensions Available for: iPhone 8 and later Impact: A website may be able to track users through Safari web extensions Description: A logic issue was addressed with improved state management. WebKit Bugzilla: 242278 CVE-2022-32868: Michael Sandbox Available for: iPhone 8 and later Impact: An app may be able to modify protected parts of the file system Description: A logic issue was addressed with improved restrictions. CVE-2022-32881: Csaba Fitzl (@theevilbit) of Offensive Security Entry added October 27, 2022 Security Available for: iPhone 8 and later Impact: An app may be able to bypass code signing checks Description: An issue in code signature validation was addressed with improved checks. CVE-2022-42793: Linus Henze of Pinauten GmbH (pinauten.de) Entry added October 27, 2022 Shortcuts Available for: iPhone 8 and later Impact: A person with physical access to an iOS device may be able to access photos from the lock screen Description: A logic issue was addressed with improved restrictions. CVE-2022-32872: Elite Tech Guru Sidecar Available for: iPhone 8 and later Impact: A user may be able to view restricted content from the lock screen Description: A logic issue was addressed with improved state management. CVE-2022-42790: Om kothawade of Zaprico Digital Entry added October 27, 2022 Siri Available for: iPhone 8 and later Impact: A user with physical access to a device may be able to use Siri to obtain some call history information Description: A logic issue was addressed with improved state management. CVE-2022-32870: Andrew Goldberg of The McCombs School of Business, The University of Texas at Austin (linkedin.com/andrew-goldberg-/) Entry added October 27, 2022 SQLite Available for: iPhone 8 and later Impact: A remote user may be able to cause a denial-of-service Description: This issue was addressed with improved checks. CVE-2021-36690 Entry added October 27, 2022 Time Zone Available for: iPhone 8 and later Impact: Deleted contacts may still appear in spotlight search results Description: A logic issue was addressed with improved state management. CVE-2022-32859 Entry added October 27, 2022 Watch app Available for: iPhone 8 and later Impact: An app may be able to read a persistent device identifier Description: This issue was addressed with improved entitlements. CVE-2022-32835: Guilherme Rambo of Best Buddy Apps (rambo.codes) Entry added October 27, 2022 Weather Available for: iPhone 8 and later Impact: An app may be able to read sensitive location information Description: A logic issue was addressed with improved state management. CVE-2022-32875: an anonymous researcher Entry added October 27, 2022 WebKit Available for: iPhone 8 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. WebKit Bugzilla: 242047 CVE-2022-32888: P1umer (@p1umer) Entry added October 27, 2022 WebKit Available for: iPhone 8 and later Impact: Visiting a website that frames malicious content may lead to UI spoofing Description: The issue was addressed with improved UI handling. WebKit Bugzilla: 243236 CVE-2022-32891: @real_as3617, and an anonymous researcher Entry added October 27, 2022 WebKit Available for: iPhone 8 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A buffer overflow issue was addressed with improved memory handling. WebKit Bugzilla: 241969 CVE-2022-32886: P1umer, afang5472, xmzyshypnc WebKit Available for: iPhone 8 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved bounds checking. WebKit Bugzilla: 242762 CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative WebKit Sandboxing Available for: iPhone 8 and later Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: An access issue was addressed with improvements to the sandbox. WebKit Bugzilla: 243181 CVE-2022-32892: @18楼梦想改造家 and @jq0904 of DBAppSecurity's WeBin lab Entry added October 27, 2022 Wi-Fi Available for: iPhone 8 and later Impact: An app may be able to cause unexpected system termination or write kernel memory Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2022-32925: Wang Yu of Cyberserval Entry added October 27, 2022 Additional recognition AirDrop We would like to acknowledge Alexander Heinrich, Milan Stute, and Christian Weinert of Technical University of Darmstadt for their assistance. Entry added October 27, 2022 AppleCredentialManager We would like to acknowledge @jonathandata1 for their assistance. Entry added October 27, 2022 Calendar UI We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi Narain College Of Technology Bhopal for their assistance. Entry added October 27, 2022 FaceTime We would like to acknowledge an anonymous researcher for their assistance. Entry added October 27, 2022 Find My We would like to acknowledge an anonymous researcher for their assistance. Entry added October 27, 2022 Game Center We would like to acknowledge Joshua Jones for their assistance. iCloud We would like to acknowledge Bülent Aytulun, and an anonymous researcher for their assistance. Entry added October 27, 2022 Identity Services We would like to acknowledge Joshua Jones for their assistance. Kernel We would like to acknowledge Pan ZhenPeng(@Peterpan0927), Tingting Yin of Tsinghua University, and Min Zheng of Ant Group, and an anonymous researcher for their assistance. Entry added October 27, 2022 Mail We would like to acknowledge an anonymous researcher for their assistance. Entry added October 27, 2022 Notes We would like to acknowledge Edward Riley of Iron Cloud Limited (ironclouduk.com) for their assistance. Entry added October 27, 2022 Photo Booth We would like to acknowledge Prashanth Kannan of Dremio for their assistance. Entry added October 27, 2022 Sandbox We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance. Entry added October 27, 2022 Shortcuts We would like to acknowledge Shay Dror for their assistance. Entry added October 27, 2022 SOS We would like to acknowledge Xianfeng Lu and Lei Ai of OPPO Amber Security Lab for their assistance. Entry added October 27, 2022 UIKit We would like to acknowledge Aleczander Ewing, Simon de Vegt, and an anonymous researcher for their assistance. Entry added October 27, 2022 WebKit We would like to acknowledge an anonymous researcher for their assistance. Entry added October 27, 2022 WebRTC We would like to acknowledge an anonymous researcher for their assistance. Entry added October 27, 2022 This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 16". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbKpoACgkQ4RjMIDke NxkQ8w/9FMTP02t/AKe0nXZ44UhfMLy7Sx88gpWRHaWKZtdjPADC2kxx1RbVSvrC C5nB6bw2zGppE1V284QitcNG9WrGGTINK6Knshv0PCkWLZnh1sYqX2bYbKmY6Ol7 K+lRk6zicF3k7KcCZRly6UuJ8RvfPpa2wKuVVv5FBPM8bPRuovVRiRxGUWuO7emM ZXyp4n5u+GldW8n8hRK/jxwGGwrKqFmXL9Ecd79I2/4uYmEx6tmoAYuEZs26BfjK Etd1F54PlewmyUKvVlWiwLhpVgygRqkmvW+jKwX46gBzwHFK88B9IV6wf8ZD5JaU Ur+nqEjiqmbYdcfV8pu64eRNnlTiCmD/ehJg8sNG38m9SeqOw3ZNVaQ8+sgoXwsp rpsPDPsXmPqqadxERe7LwLXSm4KtTARdGbEffHAA5eqc+U0ja2u3piqk8ZKTrC6K tORrDjSkKx9AILbds99Wzbnb1rfF/09N1+LPQT7Ac8PCA/kE+XQ+nmSDoInh8PTU rFt3ZW9Ud0q6Y2Ix11WYrb6wOqs/vafaW5zXTnNfgKNvw2zO/9yKYhaqIjlGtLSJ Og/O1sdcPMPisBGQynF7Dj42riQD5RQGbB/GmfgRqUHFXwcWJxFRblkwUxbjuEaR nYRj90cDbUE2wmsE4y4uFfCVpKTQCQCKXuSuBkOQje0KjTDHWac= =I+iq -----END PGP SIGNATURE----- . CVE-2022-42789: Koh M. Nakagawa of FFRI Security, Inc. Apple is aware of a report that this issue may have been actively exploited. Apple is aware of a report that this issue may have been actively exploited. Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5333-1 security@debian.org https://www.debian.org/security/ Aron Xu January 29, 2023 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tiff CVE ID : CVE-2022-1354 CVE-2022-1355 CVE-2022-1622 CVE-2022-1623 CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 CVE-2022-2953 CVE-2022-3570 CVE-2022-3597 CVE-2022-3599 CVE-2022-3627 CVE-2022-3636 CVE-2022-34526 CVE-2022-48281 Debian Bug : 1011160 1014494 1022555 1024737 1029653 Several buffer overflow, divide by zero or out of bounds read/write vulnerabilities were discovered in tiff, the Tag Image File Format (TIFF) library and tools, which may cause denial of service when processing a crafted TIFF image. For the stable distribution (bullseye), these problems have been fixed in version 4.2.0-1+deb11u3. We recommend that you upgrade your tiff packages

Trust: 2.43

sources: NVD: CVE-2022-1622 // JVNDB: JVNDB-2022-011453 // VULHUB: VHN-419735 // VULMON: CVE-2022-1622 // PACKETSTORM: 169563 // PACKETSTORM: 169559 // PACKETSTORM: 169585 // PACKETSTORM: 169576 // PACKETSTORM: 169598 // PACKETSTORM: 169589 // PACKETSTORM: 170783

AFFECTED PRODUCTS

vendor:applemodel:macosscope:gteversion:12.0

Trust: 1.0

vendor:applemodel:macosscope:ltversion:12.6

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:36

Trust: 1.0

vendor:applemodel:tvosscope:ltversion:16.0

Trust: 1.0

vendor:applemodel:iphone osscope:ltversion:16.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:35

Trust: 1.0

vendor:applemodel:watchosscope:ltversion:9.0

Trust: 1.0

vendor:applemodel:macosscope:gteversion:11.0

Trust: 1.0

vendor:libtiffmodel:libtiffscope:eqversion:4.3.0

Trust: 1.0

vendor:applemodel:macosscope:ltversion:11.7

Trust: 1.0

vendor:netappmodel:ontap select deploy administration utilityscope:eqversion: -

Trust: 1.0

vendor:アップルmodel:iosscope: - version: -

Trust: 0.8

vendor:アップルmodel:watchosscope: - version: -

Trust: 0.8

vendor:netappmodel:ontap select deploy administration utilityscope: - version: -

Trust: 0.8

vendor:アップルmodel:tvosscope: - version: -

Trust: 0.8

vendor:libtiffmodel:libtiffscope: - version: -

Trust: 0.8

vendor:アップルmodel:macosscope: - version: -

Trust: 0.8

vendor:fedoramodel:fedorascope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-011453 // NVD: CVE-2022-1622

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-1622
value: MEDIUM

Trust: 1.0

cve@gitlab.com: CVE-2022-1622
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-1622
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202205-2732
value: MEDIUM

Trust: 0.6

VULHUB: VHN-419735
value: MEDIUM

Trust: 0.1

VULMON: CVE-2022-1622
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-1622
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-419735
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-1622
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 2.0

OTHER: JVNDB-2022-011453
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-419735 // VULMON: CVE-2022-1622 // JVNDB: JVNDB-2022-011453 // CNNVD: CNNVD-202205-2732 // NVD: CVE-2022-1622 // NVD: CVE-2022-1622

PROBLEMTYPE DATA

problemtype:CWE-125

Trust: 1.1

problemtype:Out-of-bounds read (CWE-125) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-419735 // JVNDB: JVNDB-2022-011453 // NVD: CVE-2022-1622

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202205-2732

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202205-2732

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-419735

PATCH

title:HT213488url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C7IWZTB4J2N4F5OR5QY4VHDSKWKZSWN3/

Trust: 0.8

title:Amazon Linux 2022: ALAS2022-2022-094url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2022&qid=ALAS2022-2022-094

Trust: 0.1

title:Debian Security Advisories: DSA-5333-1 tiff -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=c77904c23e5b132ffe7c410eba93e432

Trust: 0.1

title:Amazon Linux 2022: ALAS2022-2022-183url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2022&qid=ALAS2022-2022-183

Trust: 0.1

sources: VULMON: CVE-2022-1622 // JVNDB: JVNDB-2022-011453

EXTERNAL IDS

db:NVDid:CVE-2022-1622

Trust: 4.1

db:PACKETSTORMid:169598

Trust: 0.8

db:JVNDBid:JVNDB-2022-011453

Trust: 0.8

db:PACKETSTORMid:170783

Trust: 0.7

db:CS-HELPid:SB2022060633

Trust: 0.6

db:AUSCERTid:ESB-2022.5473

Trust: 0.6

db:AUSCERTid:ESB-2022.5300

Trust: 0.6

db:AUSCERTid:ESB-2022.5462

Trust: 0.6

db:CNNVDid:CNNVD-202205-2732

Trust: 0.6

db:PACKETSTORMid:169589

Trust: 0.2

db:PACKETSTORMid:169563

Trust: 0.2

db:PACKETSTORMid:169576

Trust: 0.2

db:PACKETSTORMid:169559

Trust: 0.2

db:PACKETSTORMid:169585

Trust: 0.2

db:VULHUBid:VHN-419735

Trust: 0.1

db:VULMONid:CVE-2022-1622

Trust: 0.1

sources: VULHUB: VHN-419735 // VULMON: CVE-2022-1622 // JVNDB: JVNDB-2022-011453 // PACKETSTORM: 169563 // PACKETSTORM: 169559 // PACKETSTORM: 169585 // PACKETSTORM: 169576 // PACKETSTORM: 169598 // PACKETSTORM: 169589 // PACKETSTORM: 170783 // CNNVD: CNNVD-202205-2732 // NVD: CVE-2022-1622

REFERENCES

url:https://gitlab.com/gitlab-org/cves/-/blob/master/2022/cve-2022-1622.json

Trust: 2.6

url:http://seclists.org/fulldisclosure/2022/oct/41

Trust: 1.8

url:https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a

Trust: 1.8

url:https://gitlab.com/libtiff/libtiff/-/issues/410

Trust: 1.8

url:https://security.netapp.com/advisory/ntap-20220616-0005/

Trust: 1.8

url:https://support.apple.com/kb/ht213443

Trust: 1.8

url:https://support.apple.com/kb/ht213444

Trust: 1.8

url:https://support.apple.com/kb/ht213446

Trust: 1.8

url:https://support.apple.com/kb/ht213486

Trust: 1.8

url:https://support.apple.com/kb/ht213487

Trust: 1.8

url:https://support.apple.com/kb/ht213488

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-1622

Trust: 1.5

url:http://seclists.org/fulldisclosure/2022/oct/28

Trust: 1.1

url:http://seclists.org/fulldisclosure/2022/oct/39

Trust: 1.1

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/c7iwztb4j2n4f5or5qy4vhdskwkzswn3/

Trust: 1.1

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/uxafop6qqrnzd3hpz6bmcezzom4yizmk/

Trust: 1.1

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/uxafop6qqrnzd3hpz6bmcezzom4yizmk/

Trust: 0.7

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/c7iwztb4j2n4f5or5qy4vhdskwkzswn3/

Trust: 0.7

url:https://packetstormsecurity.com/files/170783/debian-security-advisory-5333-1.html

Trust: 0.6

url:https://vigilance.fr/vulnerability/libtiff-out-of-bounds-memory-reading-via-lzwdecode-38292

Trust: 0.6

url:https://packetstormsecurity.com/files/169598/apple-security-advisory-2022-10-27-13.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.5462

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.5473

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.5300

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-1622/

Trust: 0.6

url:https://support.apple.com/en-us/ht213488

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022060633

Trust: 0.6

url:https://access.redhat.com/security/cve/cve-2022-1622

Trust: 0.6

url:https://www.apple.com/support/security/pgp/

Trust: 0.5

url:https://support.apple.com/en-us/ht201222.

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-32866

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2022-32864

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2021-36690

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-32854

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-32881

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-1355

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-1623

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-1354

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-32858

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-32835

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-32875

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-1720

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-2042

Trust: 0.2

url:https://support.apple.com/downloads/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-2124

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-39537

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-2000

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-32888

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-32879

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-32886

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/125.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://alas.aws.amazon.com/al2022/alas-2022-094.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-1056

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-1210

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0908

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0907

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-22844

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0562

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0909

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0561

Trust: 0.1

url:https://security.gentoo.org/glsa/202210-10

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0924

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0865

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0891

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32867

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32859

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-26744

Trust: 0.1

url:https://support.apple.com/ht213446.

Trust: 0.1

url:https://www.apple.com/itunes/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32865

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32827

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32868

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32795

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2125

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32877

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2126

Trust: 0.1

url:https://support.apple.com/ht213443.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0359

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0318

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0392

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0261

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0361

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0319

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0368

Trust: 0.1

url:https://support.apple.com/ht213444.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0351

Trust: 0.1

url:https://support.apple.com/kb/ht204641

Trust: 0.1

url:https://support.apple.com/ht213486.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32883

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32870

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32907

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32891

Trust: 0.1

url:https://support.apple.com/ht213487.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32912

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32903

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32908

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32911

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2953

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2058

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2520

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2869

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2867

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2868

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2057

Trust: 0.1

url:https://security-tracker.debian.org/tracker/tiff

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2056

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2519

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-2521

Trust: 0.1

sources: VULHUB: VHN-419735 // VULMON: CVE-2022-1622 // JVNDB: JVNDB-2022-011453 // PACKETSTORM: 169563 // PACKETSTORM: 169559 // PACKETSTORM: 169585 // PACKETSTORM: 169576 // PACKETSTORM: 169598 // PACKETSTORM: 169589 // PACKETSTORM: 170783 // CNNVD: CNNVD-202205-2732 // NVD: CVE-2022-1622

CREDITS

Apple

Trust: 0.5

sources: PACKETSTORM: 169559 // PACKETSTORM: 169585 // PACKETSTORM: 169576 // PACKETSTORM: 169598 // PACKETSTORM: 169589

SOURCES

db:VULHUBid:VHN-419735
db:VULMONid:CVE-2022-1622
db:JVNDBid:JVNDB-2022-011453
db:PACKETSTORMid:169563
db:PACKETSTORMid:169559
db:PACKETSTORMid:169585
db:PACKETSTORMid:169576
db:PACKETSTORMid:169598
db:PACKETSTORMid:169589
db:PACKETSTORMid:170783
db:CNNVDid:CNNVD-202205-2732
db:NVDid:CVE-2022-1622

LAST UPDATE DATE

2024-11-23T21:15:40.069000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-419735date:2022-11-07T00:00:00
db:VULMONid:CVE-2022-1622date:2022-11-07T00:00:00
db:JVNDBid:JVNDB-2022-011453date:2023-08-22T07:50:00
db:CNNVDid:CNNVD-202205-2732date:2023-02-01T00:00:00
db:NVDid:CVE-2022-1622date:2024-11-21T06:41:06.947

SOURCES RELEASE DATE

db:VULHUBid:VHN-419735date:2022-05-11T00:00:00
db:VULMONid:CVE-2022-1622date:2022-05-11T00:00:00
db:JVNDBid:JVNDB-2022-011453date:2023-08-22T00:00:00
db:PACKETSTORMid:169563date:2022-10-31T14:24:25
db:PACKETSTORMid:169559date:2022-10-31T14:22:02
db:PACKETSTORMid:169585date:2022-10-31T14:50:18
db:PACKETSTORMid:169576date:2022-10-31T14:42:57
db:PACKETSTORMid:169598date:2022-10-31T14:56:26
db:PACKETSTORMid:169589date:2022-10-31T14:51:24
db:PACKETSTORMid:170783date:2023-01-30T16:31:59
db:CNNVDid:CNNVD-202205-2732date:2022-05-10T00:00:00
db:NVDid:CVE-2022-1622date:2022-05-11T15:15:09.237