Vulnerability DatabaseCVE-2022-3970

CVE-2022-3970:
NixOS vulnerability analysis and mitigation

Overview

CVE-2022-3970 is a critical vulnerability discovered in LibTIFF, specifically affecting the TIFFReadRGBATileExt function in the libtiff/tif_getimage.c file. The vulnerability was disclosed in late 2022 and affects LibTIFF versions prior to the November 2022 patch (GitLab Commit, Red Hat CVE).

Technical details

The vulnerability is characterized by an integer overflow condition in the TIFFReadRGBATileExt function of the libtiff/tif_getimage.c file. The issue occurs when processing TIFF files with specific tile configurations that can trigger an integer overflow, potentially leading to memory corruption (Red Hat CVE). The vulnerability has been assigned a CVSS score of 9.8 (CRITICAL), indicating its severe nature (NetApp Security).

Impact

When successfully exploited, this vulnerability can lead to multiple severe consequences including disclosure of sensitive information, addition or modification of data, and potential Denial of Service (DoS). The high severity rating indicates that successful exploitation could result in significant system compromise (NetApp Security).

Mitigation and workarounds

The vulnerability has been patched in LibTIFF's codebase. Organizations and users are strongly advised to update to the fixed version released after November 2022. For systems that cannot be immediately updated, it is recommended to exercise caution when processing TIFF files from untrusted sources (Debian Security).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

8.8

Score

Published November 13, 2022

Severity HIGH

CNA Score 6.3

Affected Technologies

NixOS
Apple Safari

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 22.8

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

compat-libtiff3
libtiff

Sources

AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: May 21, 2023
- AlmaLinux 9 Severity MEDIUMHas FixAdded at: May 14, 2023
Alpine Security Tracker
- Alpine 3.14, 3.15, 3.16 Severity HIGHHas FixAdded at: Mar 24, 2023
- Alpine 3.17 Severity HIGHHas FixAdded at: Mar 23, 2023
- Alpine 3.18 Severity HIGHHas FixAdded at: May 10, 2023
- Alpine 3.19 Severity HIGHHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity HIGHHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity HIGHHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
- Alpine edge Severity HIGHHas FixAdded at: Jun 19, 2023
CBL-Mariner
- CBL-Mariner 1.0, 2.0 Severity HIGHHas FixAdded at: Jun 10, 2023
Debian Security Tracker
- Debian 10, 11, 12 Severity HIGHHas FixAdded at: Nov 14, 2022
- Debian 13 Severity HIGHHas FixAdded at: Jun 11, 2023
Homebrew
- Homebrew Severity HIGHHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity HIGHHas FixAdded at: Nov 01, 2023
Photon Security Advisory
- Photon 2.0, 4.0 Severity HIGHHas FixAdded at: Nov 23, 2022
- Photon 3.0 Severity HIGHHas FixAdded at: Nov 22, 2022
Red Hat Errata
- Red Hat 6, 7 Severity MEDIUMNo FixAdded at: Nov 28, 2022
- Red Hat 8 Severity MEDIUMHas FixAdded at: Nov 28, 2022
- Red Hat 9 Severity MEDIUMHas FixAdded at: Nov 28, 2022
Ubuntu Security Tracker
- Ubuntu 14.04 Severity MEDIUMHas FixAdded at: Feb 05, 2023
- Ubuntu 16.04 Severity MEDIUMHas FixAdded at: Nov 27, 2022
- Ubuntu 18.04, 20.04, 22.04, 22.10 Severity MEDIUMHas FixAdded at: Dec 01, 2022
NVD
- Windows Severity HIGHHas FixAdded at: Jan 15, 2023