CVE-2024-7006
CVE Details
Visit the official vulnerability details page for CVE-2024-7006 to learn more.
Initial Publication
10/25/2024
Last Update
10/25/2024
Third Party Dependency
tiff
NIST CVE Summary
A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.
CVE Severity
Our Official Summary
A null pointer dereference flaw was found in Libtiff via tif_dirinfo.c. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.
The risk of exploitation of this vulnerability for our products is low as these containers canot be modified without privileged access and running arbitrary code. Containers have security controls in place to prevent these actions. We will wait for an upstream fix and then upgrade these components.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.5.11 | Impacted | Impacted | No Impact | Impacted |
| 4.5.10 | Impacted | Impacted | No Impact | Impacted |
| 4.5.8 | Impacted | Impacted | No Impact | Impacted |
| 4.5.5 | Impacted | Impacted | No Impact | Impacted |
| 4.5.4 | Impacted | Impacted | No Impact | Impacted |
| 4.4.20 | Impacted | Impacted | No Impact | Impacted |
Revision History
| Date | Revision |
|---|---|
| 11/28/2024 | Official summary revised: A null pointer dereference flaw was found in Libtiff via tif_dirinfo.c. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.The risk of exploitation of this vulnerability for our products is low as these containers canot be modified without privileged access and running arbitrary code. Containers have security controls in place to prevent these actions. We will wait for an upstream fix and then upgrade these components. |
| 11/28/2024 | Official summary revised: A null pointer dereference flaw was found in Libtiff via tif_dirinfo.c. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.The risk of exploitation of this vulnerability for our products is low as these containers canot be modified without privileged access and running arbitrary code. Containers have security controls in place to prevent these actions. Impact of exploitation is also low as containers restrict the attack surface. We will wait for an upstream fix and then upgrade these components. |
| 11/28/2024 | Official summary revised: A null pointer dereference flaw was found in Libtiff via tif_dirinfo.c. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.The risk of exploitation of this vulnerability for our products is low as these containers canot be modified without privileged access and running arbitrary code. Containers have security controls in place to prevent these actions. We will wait for an upstream fix and then upgrade these components. |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 |
| 11/13/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20 |
| 11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
| 10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |