CVE-2022-24599 : In autofile Audio File Library 0.3.6, there exists one memory leak vulnerability in printfileinfo, in printinfo.c, which

In autofile Audio File Library 0.3.6, there exists one memory leak vulnerability in printfileinfo, in printinfo.c, which allows an attacker to leak sensitive information via a crafted file. The printfileinfo function calls the copyrightstring function to get data, however, it dosn't use zero bytes to truncate the data.

Published 2022-02-24 15:15:30

Updated 2023-12-28 15:58:19

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-24599

Probability of exploitation activity in the next 30 days: 0.26%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 64 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-24599

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2022-24599

CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-24599

https://lists.debian.org/debian-lts-announce/2023/11/msg00006.html

[SECURITY] [DLA 3650-1] audiofile security update
Mailing List

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZPG27YKICLIWUFOPVUOAFAZGOX4BNHY/

[SECURITY] Fedora 39 Update: audiofile-0.3.6-36.fc39 - package-announce - Fedora Mailing-Lists
Mailing List
https://github.com/mpruett/audiofile/issues/60

Memory-leak bug in printfileinfo, in printinfo.c · Issue #60 · mpruett/audiofile · GitHub
Exploit;Issue Tracking;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTETOUJNRR75REYJZTBGF6TAJZYTMXUY/

[SECURITY] Fedora 37 Update: audiofile-0.3.6-36.fc37 - package-announce - Fedora Mailing-Lists
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N4JXZ6QAMA3TSRY6GUZRY3WTHR7P5TPH/

[SECURITY] Fedora 38 Update: audiofile-0.3.6-36.fc38 - package-announce - Fedora Mailing-Lists
Mailing List

Products affected by CVE-2022-24599

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 37
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 38
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 39
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
Matching versions
Audio File Library Project » Audio File Library » Version: 0.3.6
cpe:2.3:a:audio_file_library_project:audio_file_library:0.3.6:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2022-24599

Exploit prediction scoring system (EPSS) score for CVE-2022-24599

CVSS scores for CVE-2022-24599

CWE ids for CVE-2022-24599

References for CVE-2022-24599

Products affected by CVE-2022-24599