Risk | High |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2022-3008 |
CWE-ID | CWE-77 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software |
Ubuntu Operating systems & Components / Operating system libtinygltf1d (Ubuntu package) Operating systems & Components / Operating system package or component libtinygltf-dev (Ubuntu package) Operating systems & Components / Operating system package or component |
Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains one high risk vulnerability.
EUVDB-ID: #VU67574
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-3008
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to insufficient parsing of user-supplied input within the wordexp() when handling file paths. A remote attacker can supply specially crafted string to the affected application and execute arbitrary OS commands on the system.
Update the affected package tinygltf to the latest version.
Vulnerable software versionsUbuntu: 22.04
libtinygltf1d (Ubuntu package): before 2.5.0+dfsg-4ubuntu0.1
libtinygltf-dev (Ubuntu package): before 2.5.0+dfsg-4ubuntu0.1
CPE2.3http://ubuntu.com/security/notices/USN-7129-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.