{"api_version":"1","generated_at":"2026-04-22T22:40:44+00:00","cve":"CVE-2021-23169","urls":{"html":"https://cve.report/CVE-2021-23169","api":"https://cve.report/api/cve/CVE-2021-23169.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-23169","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-23169"},"summary":{"title":"CVE-2021-23169","description":"A heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled against OpenEXR.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2021-06-08 12:15:00","updated_at":"2023-11-07 03:30:00"},"problem_types":["CWE-787"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4KYNJSMVA6YJY5NMKDZ5SAISKZG2KCKC/","name":"FEDORA-2021-c194de7719","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: mingw-openexr-2.5.5-2.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KYNJSMVA6YJY5NMKDZ5SAISKZG2KCKC/","name":"FEDORA-2021-c194de7719","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: mingw-openexr-2.5.5-2.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BXFLD4ZAXKAIWO6ZPBCQEEDZB5IG676K/","name":"FEDORA-2021-6af32bfcd2","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: mingw-OpenEXR-2.4.1-4.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1947612","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1947612","refsource":"MISC","tags":[],"title":"1947612 – (CVE-2021-23169) CVE-2021-23169 OpenEXR: Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202210-31","name":"GLSA-202210-31","refsource":"GENTOO","tags":[],"title":"OpenEXR: Multiple Vulnerabilities (GLSA 202210-31) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BXFLD4ZAXKAIWO6ZPBCQEEDZB5IG676K/","name":"FEDORA-2021-6af32bfcd2","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: mingw-OpenEXR-2.4.1-4.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-23169","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23169","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"23169","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23169","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"23169","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openexr","cpe5":"openexr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-23169","qid":"179744","title":"Debian Security Update for openexr (CVE-2021-23169)"},{"cve":"CVE-2021-23169","qid":"281212","title":"Fedora Security Update for mingw (FEDORA-2021-6af32bfcd2)"},{"cve":"CVE-2021-23169","qid":"281213","title":"Fedora Security Update for mingw (FEDORA-2021-c194de7719)"},{"cve":"CVE-2021-23169","qid":"502134","title":"Alpine Linux Security Update for openexr"},{"cve":"CVE-2021-23169","qid":"710663","title":"Gentoo Linux OpenEXR Multiple Vulnerabilities (GLSA 202210-31)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-23169","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"OpenEXR","version":{"version_data":[{"version_value":"OpenEXR 3.0.1"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-787"}]}]},"references":{"reference_data":[{"refsource":"FEDORA","name":"FEDORA-2021-c194de7719","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KYNJSMVA6YJY5NMKDZ5SAISKZG2KCKC/"},{"refsource":"FEDORA","name":"FEDORA-2021-6af32bfcd2","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BXFLD4ZAXKAIWO6ZPBCQEEDZB5IG676K/"},{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1947612","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1947612"},{"refsource":"GENTOO","name":"GLSA-202210-31","url":"https://security.gentoo.org/glsa/202210-31"}]},"description":{"description_data":[{"lang":"eng","value":"A heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled against OpenEXR."}]}},"nvd":{"publishedDate":"2021-06-08 12:15:00","lastModifiedDate":"2023-11-07 03:30:00","problem_types":["CWE-787"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*","versionEndExcluding":"3.0.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"23169","Ordinal":"206858","Title":"CVE-2021-23169","CVE":"CVE-2021-23169","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"23169","Ordinal":"1","NoteData":"A heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled against OpenEXR.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"23169","Ordinal":"2","NoteData":"2021-06-08","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"23169","Ordinal":"3","NoteData":"2021-06-08","Type":"Other","Title":"Modified"}]}}}