Miggo Logo
Miggo Vulnerability Database
CVE-2024-7006

CVE-2024-7006: A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an...

6.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-7006
GHSA ID
GHSA-r7x8-hv2q-v9r7
EPSS Score
0.72452%
CWE
CWE-476
Published
8/12/2024
Updated
11/6/2024
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly mentions tif_dirinfo.c. The Red Hat Bugzilla entry for CVE-2024-7006 links to a GitLab merge request titled 'Fix 624: Check input parameters in _TIFFMergeFields()'. This strongly indicates that the _TIFFMergeFields function within tif_dirinfo.c is the site of the null pointer dereference. The fix involved adding checks to its input parameters, meaning the lack of these checks was the cause of the vulnerability. Although direct commit diffs could not be retrieved, the information from the bug tracker and merge request provides sufficient evidence to identify the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* null point*r **r***r*n** *l*w w*s *oun* in Li*ti** vi* `ti*_*irin*o.*`. T*is issu* m*y *llow *n *tt**k*r to tri***r m*mory *llo**tion **ilur*s t*rou** **rt*in m**ns, su** *s r*stri*tin* t** ***p sp*** siz* or inj**tin* **ults, **usin* * s**m*nt*tio

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions `ti*_*irin*o.*`. T** R** **t *u*zill* *ntry *or *V*-****-**** links to * *itL** m*r** r*qu*st titl** '*ix ***: ****k input p*r*m*t*rs in _TI**M*r***i*l*s()'. T*is stron*ly in*i**t*s t**t t** `_TI**M*r
CVE-2024-7006: Libtiff dirinfo Null Ptr DoS | Miggo