CVE-2023-24472
A denial of service vulnerability exists in the FitsOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted ImageOutput Object can lead to denial of service. An attacker can provide malicious input to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
OpenImageIO Project OpenImageIO v2.4.7.1
OpenImageIO - https://github.com/OpenImageIO/oiio
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-674 - Uncontrolled Recursion
OpenImageIO is an image processing library with easy-to-use interfaces and a sizable number of supported image formats. Useful for conversion and processing and even image comparison, this library is utilized by 3D-processing software from AliceVision (including Meshroom), as well as Blender for reading Photoshop .psd files.
CVE-2022-43595 was not fixed in newest version.
2023-02-07 - Vendor Disclosure
2023-02-13 - Vendor Patch Release
2023-03-30 - Public Release
Discovered by Lilith >_> of Cisco Talos.