Miggo Logo

CVE-2017-14136: Out-of-bounds Write in OpenCV

6.5

CVSS Score
3.0

Basic Information

EPSS Score
0.75589%
Published
10/12/2021
Updated
1/9/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
opencv-pythonpip<= 3.3.0.93.3.1.11
opencv-contrib-pythonpip<= 3.3.0.93.3.1.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The CVE description explicitly names FillColorRow1 in utils.cpp as the vulnerable function.
  2. The GitHub issue #9443 shows a Valgrind trace pointing to FillColorRow1 with an invalid write operation during BMP decoding.
  3. The fix in pull request #9448 targets the BMP decoder's color handling logic, which aligns with the function's role in palette-based image processing.
  4. Multiple advisories (Debian, Gentoo) reference this CVE in the context of OpenCV's image decoding path, corroborating the function's involvement.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*n*V (Op*n Sour** *omput*r Vision Li*r*ry) *.* (*orr*spon*in* to Op*n*V-Pyt*on *.*.*.*) **s *n out-o*-*oun*s writ* *rror in t** *un*tion *ill*olorRow* in utils.*pp w**n r***in* *n im*** *il* *y usin* *v::imr***. NOT*: t*is vuln*r**ility *xists ****

Reasoning

*. T** *V* **s*ription *xpli*itly n*m*s *ill*olorRow* in utils.*pp *s t** vuln*r**l* *un*tion. *. T** *it*u* issu* #**** s*ows * V*l*rin* tr*** pointin* to *ill*olorRow* wit* *n inv*li* writ* op*r*tion *urin* *MP ***o*in*. *. T** *ix in pull r*qu*st