CVE-2023-44443
Published: 03 May 2024
Summary
CVE-2023-44443 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Gimp Gimp. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-44443 is an integer overflow vulnerability in GIMP's handling of PSP files, tracked as ZDI-CAN-22096 and assigned CWE-190. The flaw stems from insufficient validation of user-supplied data during PSP parsing, which can produce an integer overflow prior to a memory write and allow arbitrary code execution. Affected installations are those of GIMP prior to the version containing the fix.
Remote attackers can exploit the issue by supplying a malicious PSP file. Successful exploitation requires user interaction, such as opening the file locally or visiting a page that delivers it, after which code runs in the context of the GIMP process. The vulnerability carries a CVSS 3.0 base score of 7.8 reflecting local access, low attack complexity, no privileges required, and required user interaction, with high impact on confidentiality, integrity, and availability.
The referenced GIMP 2.10.36 release announcement and the corresponding Zero Day Initiative advisory ZDI-23-1593 indicate that the issue is resolved in GIMP version 2.10.36. The current EPSS score of 0.6376 with a peak of 0.6544 does not reflect a material rise from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-48783
Vulnerability details
GIMP PSP File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious…
more
page or open a malicious file. The specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-22096.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.