Miggo Logo
Miggo Vulnerability Database
CVE-2017-12601

CVE-2017-12601: Improper Restriction of Operations within the Bounds of a Memory Buffer in OpenCV

8.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-12601
GHSA ID
GHSA-w96g-3p64-63wr
EPSS Score
0.61437%
CWE
CWE-119
Published
10/12/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
opencv-pythonpip<= 3.3.0.93.3.1.11
opencv-contrib-pythonpip<= 3.3.0.93.3.1.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The CVE description explicitly states the buffer overflow occurs in cv::BmpDecoder::readData.
  2. Valgrind logs in GitHub issue #9309 show invalid writes originating from this function's memcpy operation.
  3. The vulnerability manifests when using cv::imread, which calls this decoder.
  4. CWE-120 (Classic Buffer Overflow) directly maps to the unsafe memcpy pattern described.
  5. The patch in PR #9376 likely addressed this by adding proper bounds checks in the BMP decoder implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*n*V (Op*n Sour** *omput*r Vision Li*r*ry) t*rou** *.* (*orr*spon*in* to Op*n*V-Pyt*on *.*.*.*) **s * *u***r ov*r*low in t** *v::*mp***o**r::r*****t* *un*tion in mo*ul*s/im**o***s/sr*/*r*mt_*mp.*pp w**n r***in* *n im*** *il* *y usin* *v::imr***, *s

Reasoning

*. T** *V* **s*ription *xpli*itly st*t*s t** *u***r ov*r*low o**urs in *v::*mp***o**r::r*****t*. *. V*l*rin* lo*s in *it*u* issu* #**** s*ow inv*li* writ*s ori*in*tin* *rom t*is *un*tion's m*m*py op*r*tion. *. T** vuln*r**ility m*ni**sts w**n usin* *