Cyber Resilience

CVE-2022-3008

HighPublic PoCRCE

Published: 05 September 2022

Published
05 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0846 92.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3008 is a high-severity OS Command Injection (CWE-78) vulnerability in Tinygltf Project Tinygltf. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The tinygltf library is affected by a command injection vulnerability (CVE-2022-3008) that stems from its use of the C library function wordexp() to expand file paths taken directly from untrusted input files. This permits injection via backticks and related metacharacters, corresponding to CWE-78 and CWE-77. The flaw received a CVSS 3.1 score of 8.1 with network attack vector and low complexity.

An attacker able to supply a crafted glTF or related model file can trigger arbitrary command execution during path expansion. Successful exploitation yields high impact on confidentiality and availability while requiring only low privileges and no user interaction.

The project recommends upgrading to version 2.6.0 or applying the fix at commit 52ff00a38447f06a17eab1caa2cf0730a119c751. A Debian security advisory (DSA-5232) addresses the issue for affected distributions, and the root cause was originally reported via OSS-Fuzz issue 49053. The associated EPSS score reached a peak of 0.1188 but has since receded to 0.0846 without evidence of material post-disclosure growth.

EU & UK References

Vulnerability details

The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path…

more

input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tinygltf project
tinygltf
≤ 2.6.0
debian
debian linux
11.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References