{
  "threat_severity" : "Low",
  "public_date" : "2022-04-12T00:00:00Z",
  "bugzilla" : {
    "description" : "libtiff: heap-buffer-overflow in TIFFReadRawDataStriped() in tiffinfo.c",
    "id" : "2074404",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2074404"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service.", "A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service." ],
  "statement" : "In order to successfully exploit this vulberability, the attacker needs to create a specially crafted TIFF file designed to exploit the buffer overflow in the TIFFReadRawDataStriped() function. The attacker must then convince or trick a user into processing the malicious TIFF file using the tiffinfo tool.\nConsidering the high bar of prerequisites for successful exploitation, RH ProdSec has set the Impact of this vulnerability to \"Low\"",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8194",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "libtiff-0:4.4.0-2.el9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "libtiff",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "compat-libtiff3",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "libtiff",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "compat-libtiff3",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "libtiff",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-1354\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1354" ],
  "name" : "CVE-2022-1354",
  "csaw" : false
}