CVE-2018-7456
tiff3 - security update
6.5
MEDIUM
CVSS 3.1
EPSS 0.69%
Description
A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)
How to fix CVE-2018-7456
To remediate CVE-2018-7456, upgrade the affected package to a fixed version below.
- —upgrade to 4.0.9-r4 or later
- —upgrade to 4.0.9-5 or later
- —upgrade to 4.0.2-6+deb7u19 or later
- —upgrade to 3.9.6-11+deb7u10 or later
Is CVE-2018-7456 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 4.0.9-r4
- from 0, < 4.0.9-5
- from 0, < 4.0.2-6+deb7u19
- from 0, < 3.9.6-11+deb7u10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |