Vulnerability Details : CVE-2022-3008
The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751
Products affected by CVE-2022-3008
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:tinygltf_project:tinygltf:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-3008
1.67%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-3008
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
2.8
|
5.2
|
Google Inc. | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2022-3008
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: cve-coordination@google.com (Secondary)
References for CVE-2022-3008
-
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49053
49053 - tinygltf:fuzz_gltf: Command injection in tinygltf::ExpandFilePath - oss-fuzzExploit;Issue Tracking;Mailing List;Third Party Advisory
-
https://github.com/syoyo/tinygltf/issues/368
Command injection via wordexp call. · Issue #368 · syoyo/tinygltf · GitHubExploit;Issue Tracking;Patch;Third Party Advisory
-
https://www.debian.org/security/2022/dsa-5232
Debian -- Security Information -- DSA-5232-1 tinygltfThird Party Advisory
-
https://github.com/syoyo/tinygltf/commit/52ff00a38447f06a17eab1caa2cf0730a119c751
Do not expand file path since its not necessary for glTF asset path(U… · syoyo/tinygltf@52ff00a · GitHubPatch;Third Party Advisory
-
https://github.com/syoyo/tinygltf/blob/master/README.md
tinygltf/README.md at master · syoyo/tinygltf · GitHubProduct;Third Party Advisory
Jump to