CVE-2022-20698

NameCVE-2022-20698
DescriptionA vulnerability in the OOXML parsing module in Clam AntiVirus (ClamAV) Software version 0.104.1 and LTS version 0.103.4 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper checks that may result in an invalid pointer read. An attacker could exploit this vulnerability by sending a crafted OOXML file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to crash, resulting in a denial of service condition.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
clamav (PTS)stretch0.102.3+dfsg-0~deb9u1vulnerable
stretch (security)0.103.4+dfsg-0+deb9u1vulnerable
buster0.103.3+dfsg-0+deb10u1vulnerable
bullseye0.103.3+dfsg-0+deb11u1vulnerable
bookworm, sid0.103.5+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
clamavsource(unstable)0.103.5+dfsg-1

Notes

[bullseye] - clamav <no-dsa> (clamav is updated via -updates)
[buster] - clamav <no-dsa> (clamav is updated via -updates)
[stretch] - clamav <postponed> (Minor issue; clean crash; follow stable updates)
https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html
https://github.com/Cisco-Talos/clamav/commit/9a6bb57f89721db637f4ddb5b233c1c4e23d223a (0.103.5)

Search for package or bug name: Reporting problems