Integer Overflow Vulnerability in Blender Open-Source 3D Creation Suite
CVE-2017-2903

8.8HIGH

Key Information:

Vendor

Blender

Status
Vendor
CVE Published:
24 April 2018

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2017-2903?

In the Blender open-source 3D creation suite version 2.78c, an exploitable integer overflow exists within the DPX loading functionality. This vulnerability can be triggered using specially crafted '.cin' files which may lead to a buffer overflow. An attacker can manipulate users into processing these files as assets via the sequencer, potentially resulting in code execution with the application's privileges.

Affected Version(s)

Blender v2.78c

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.