CVE-2022-20304: 
NixOS vulnerability analysis and mitigation

A vulnerability identified as CVE-2021-20304 was discovered in OpenEXR's hufDecode functionality. The vulnerability was published on August 23, 2022, affecting OpenEXR versions up to and including 2.5.7. This security flaw enables attackers to trigger an undefined right shift error by processing a specially crafted file through OpenEXR (NVD, Ubuntu Security).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). The attack vector is network-based, requires low attack complexity, needs no privileges or user interaction, and has a significant impact on system availability (NVD).

The primary impact of this vulnerability is on system availability, with no direct effect on confidentiality or integrity. When successfully exploited, the vulnerability can trigger an undefined right shift error, potentially leading to system disruption (Ubuntu Security).

A patch has been released to address this vulnerability, identified by the commit 51a92d67f53c08230734e74564c807043cbfe41e in the OpenEXR repository. Users are advised to update to the latest version of OpenEXR that includes this security fix (Ubuntu Security).