CVE-2022-3857 - Vulnerability Details - OpenCVE

Description

Maintainer contacted. This is a false-positive. The flaw does not actually exist and was erroneously tested.

Published: 2023-03-06

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

No data.

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-43197	Maintainer contacted. This is a false-positive. The flaw does not actually exist and was erroneously tested.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2022-3857
https://www.cve.org/CVERecord?id=CVE-2022-3857

History

Wed, 09 Oct 2024 04:30:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:libpng:libpng:1.6.38:::::::*
Vendors & Products	Libpng Libpng libpng
References	https://security.netapp.com/advisory/ntap-20230406-0004/ https://sourceforge.net/p/libpng/bugs/300/

Wed, 09 Oct 2024 03:45:00 +0000

Type	Values Removed	Values Added
Description	A flaw was found in libpng 1.6.38. A crafted PNG image can lead to a segmentation fault and denial of service in png_setup_paeth_row() function.	Maintainer contacted. This is a false-positive. The flaw does not actually exist and was erroneously tested.

Subscriptions

No data.

MITRE

Status: REJECTED

Assigner: redhat

Published: 2023-03-06T00:00:00.000Z

Updated: 2024-10-29T18:03:32.799Z

Reserved: 2022-11-04T00:00:00.000Z

Link: CVE-2022-3857

Vulnrichment

No data.

NVD

Status : Rejected

Published: 2023-03-06T23:15:11.087

Modified: 2024-10-09T04:15:06.567

Link: CVE-2022-3857

Redhat

Severity : Low

Publid Date: 2022-11-04T00:00:00Z

Links: CVE-2022-3857 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-476

{"acknowledgement": "Red Hat would like to thank Heqing Huang (The Hong Kong University of Science and Technology) for reporting this issue.", "bugzilla": {"description": "libpng: Null pointer dereference leads to segmentation fault", "id": "2142600", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142600"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["[REJECTED CVE] A issue has been identified with libpng in png_setup_paeth_row() function. A crafted PNG image from a n attacker can lead to a segmentation fault and Denial of service."], "name": "CVE-2022-3857", "package_state": [{"cpe": "cpe:/a:redhat:openjdk:11", "fix_state": "Fix deferred", "package_name": "java-11-openjdk-portable", "product_name": "Red Hat build of OpenJDK 11"}, {"cpe": "cpe:/a:redhat:openjdk:17", "fix_state": "Fix deferred", "package_name": "java-11-openjdk-portable", "product_name": "Red Hat build of OpenJDK 17"}, {"cpe": "cpe:/a:redhat:openjdk:1.8", "fix_state": "Fix deferred", "package_name": "java-11-openjdk-portable", "product_name": "Red Hat build of OpenJDK 1.8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libpng12", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "java-11-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "java-17-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "java-1.8.0-openjdk", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "libpng12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "libpng15", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "java-11-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "java-17-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "java-1.8.0-openjdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "libpng", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "libpng15", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-11-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-3857\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-3857"], "statement": "This CVE has been rejected upstream, because this flaw does not exist and was erroneously tested. This issue has been marked as a false-positive - https://sourceforge.net/p/libpng/bugs/300/\nRed Hat has also evaluated this issue and determined that it does not meet the criteria to be classified as a security vulnerability. This assessment is based on the issue not posing a significant security risk, being a result of misconfiguration or usage error, or falling outside the scope of security considerations. \nAs such, this CVE has been marked as \"Rejected\" in alignment with Red Hat's vulnerability management policies.\nIf you have additional information or concerns regarding this determination, please contact Red Hat Product Security for further clarification.", "threat_severity": "Low"}