CVE-2022-3008
Published: 05 September 2022
Summary
CVE-2022-3008 is a high-severity OS Command Injection (CWE-78) vulnerability in Tinygltf Project Tinygltf. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The tinygltf library is affected by a command injection vulnerability (CVE-2022-3008) that stems from its use of the C library function wordexp() to expand file paths taken directly from untrusted input files. This permits injection via backticks and related metacharacters, corresponding to CWE-78 and CWE-77. The flaw received a CVSS 3.1 score of 8.1 with network attack vector and low complexity.
An attacker able to supply a crafted glTF or related model file can trigger arbitrary command execution during path expansion. Successful exploitation yields high impact on confidentiality and availability while requiring only low privileges and no user interaction.
The project recommends upgrading to version 2.6.0 or applying the fix at commit 52ff00a38447f06a17eab1caa2cf0730a119c751. A Debian security advisory (DSA-5232) addresses the issue for affected distributions, and the root cause was originally reported via OSS-Fuzz issue 49053. The associated EPSS score reached a peak of 0.1188 but has since receded to 0.0846 without evidence of material post-disclosure growth.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-42444
Vulnerability details
The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path…
more
input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.