Ubuntu update for tinygltf



Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-3008
CWE-ID CWE-77
Exploitation vector Network
Public exploit N/A
Vulnerable software
Ubuntu
Operating systems & Components / Operating system

libtinygltf1d (Ubuntu package)
Operating systems & Components / Operating system package or component

libtinygltf-dev (Ubuntu package)
Operating systems & Components / Operating system package or component

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Command Injection

EUVDB-ID: #VU67574

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-3008

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to insufficient parsing of user-supplied input within the wordexp() when handling file paths. A remote attacker can supply specially crafted string to the affected application and execute arbitrary OS commands on the system.

Mitigation

Update the affected package tinygltf to the latest version.

Vulnerable software versions

Ubuntu: 22.04

libtinygltf1d (Ubuntu package): before 2.5.0+dfsg-4ubuntu0.1

libtinygltf-dev (Ubuntu package): before 2.5.0+dfsg-4ubuntu0.1

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7129-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###