#VU67574 Command Injection in tinygltf - CVE-2022-3008

Cybersecurity Help s.r.o.

Published: 2022-09-22

Vulnerability identifier: #VU67574

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-3008

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
tinygltf
Universal components / Libraries / Libraries used by multiple products

Vendor: Syoyo Fujita

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to insufficient parsing of user-supplied input within the wordexp() when handling file paths. A remote attacker can supply specially crafted string to the affected application and execute arbitrary OS commands on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

tinygltf: 2.1.0 - 2.5.0

External links
https://github.com/syoyo/tinygltf/issues/368
https://github.com/syoyo/tinygltf/blob/master/README.md
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49053
https://github.com/syoyo/tinygltf/commit/52ff00a38447f06a17eab1caa2cf0730a119c751
https://www.debian.org/security/2022/dsa-5232

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for tinygltf

Debian update for tinygltf

OS command injection in tinygltf library