Published:2024/09/18  Last Updated:2024/09/18

JVN#42386607
Assimp vulnerable to heap-based buffer overflow

Overview

Assimp provided by Open Asset Import Library contains a heap-based buffer overflow vulnerability.

Products Affected

  • Assimp versions prior to 5.4.3

Description

PlyLoader.cpp of Assimp provided by Open Asset Import Library contains a heap-based buffer overflow vulnerability (CWE-122).

Impact

An attacker may execute arbitrary code by importing a specially crafted file into the product.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

The developer has released version 5.4.3 that contains a fix for this vulnerability.

Vendor Status

Vendor Link
Open Asset Import Library The Assimp 5.4.3 Bugfix Release

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.4
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Yuhei Kawakoya of NTT Security Holdings reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-45679
JVN iPedia JVNDB-2024-000099