Skip to main content
Version: latest

CVE-2024-7006

CVE Details

Visit the official vulnerability details page for CVE-2024-7006 to learn more.

Initial Publication

10/25/2024

Last Update

12/16/2024

Third Party Dependency

tiff

NIST CVE Summary

A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.

CVE Severity

7.5

Our Official Summary

A null pointer dereference flaw was found in Libtiff via tif_dirinfo.c. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.

The risk of exploitation of this vulnerability for our products is low as these containers canot be modified without privileged access and running arbitrary code. Containers have security controls in place to prevent these actions. We will wait for an upstream fix and then upgrade these components.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.5.15⚠️ Impacted⚠️ Impacted✅ No Impact✅ No Impact
4.5.11⚠️ Impacted⚠️ Impacted✅ No Impact✅ No Impact
4.5.10⚠️ Impacted⚠️ Impacted✅ No Impact✅ No Impact
4.5.8⚠️ Impacted⚠️ Impacted✅ No Impact✅ No Impact
4.5.5⚠️ Impacted⚠️ Impacted✅ No Impact✅ No Impact
4.5.4⚠️ Impacted⚠️ Impacted✅ No Impact✅ No Impact
4.4.20⚠️ Impacted⚠️ Impacted✅ No Impact✅ No Impact

Revision History

DateRevision
12/16/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15
12/11/2024Official summary revised: A null pointer dereference flaw was found in Libtiff via tif_dirinfo.c. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.The risk of exploitation of this vulnerability for our products is low as these containers canot be modified without privileged access and running arbitrary code. Containers have security controls in place to prevent these actions. We will wait for an upstream fix and then upgrade these components.
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10
11/13/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5