CVE-2022-3008 Vulnerability Details

  /     /     /  

CVE-2022-3008 Metadata Quick Info

CVE Published: 05/09/2022 | CVE Updated: 03/08/2024 | CVE Year: 2022
Source: Google | Vendor: syoyo | Product: tinygltf
Status : PUBLISHED

---

CVE-2022-3008 Description

The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751

Metrics

CVSS Version: 3.1 | Base Score: 8.1 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* LOW
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* NONE
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-78
CWE Name: CWE-78 OS Command Injection
Source: syoyo

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).