Home > Vulnerability Database > CVE-2022-3008

Mend.io Vulnerability Database

CVE-2022-3008

Date: September 5, 2022

The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751

Language: C++

Severity Score

8.1

Related Resources (8)

Url: https://github.com/syoyo/tinygltf/blob/master/README.md

Url: https://github.com/syoyo/tinygltf/issues/368

Url: https://security-tracker.debian.org/tracker/CVE-2022-3008

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-3008

Url: https://github.com/syoyo/tinygltf/commit/52ff00a38447f06a17eab1caa2cf0730a119c751

Url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49053

Url: https://www.debian.org/security/2022/dsa-5232

Url: https://www.mend.io/vulnerability-database/CVE-2022-3008

Severity Score

8.1

Weakness Type (CWE)

Command Injection

CWE-77

OS Command Injections

CWE-78

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-3008

Date: September 5, 2022

Language: C++

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?