CVE-2022-20771: 
Clam AntiVirus vulnerability analysis and mitigation

A vulnerability (CVE-2022-20771) was discovered in the TIFF file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. The vulnerability was disclosed on April 20, 2022, affecting multiple versions of the ClamAV scanning library (CISCO Advisory).

The vulnerability has been assigned a CVSS base score of 7.5 (High severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:X/RL:X/RC:X. The issue specifically affects the TIFF file parsing functionality in ClamAV, which could lead to an infinite loop condition (CISCO Advisory).

This vulnerability could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The impact is limited to availability, with no direct effect on confidentiality or integrity (CISCO Advisory).

No workarounds are available for this vulnerability. The issue has been fixed in ClamAV version 0.103.6 for the LTS branch and version 0.104.3 for the main branch. Users are advised to upgrade to these or later versions (Debian LTS, CISCO Advisory).