CVE-2022-21360 A vulnerability was discovered in Oracle Java SE and Oracle GraalVM Enterprise Edition. This affects the ImageIO component.

CVE-2022-21360 A vulnerability was discovered in Oracle Java SE and Oracle GraalVM Enterprise Edition. This affects the ImageIO component.

by using the ImageIO API. The vulnerability can be exploited by an unauthenticated attacker. In order to exploit this vulnerability, the attacker must be able to read or write to the directory that contains an image in memory. If the image is a GIF image, the image can be changed to look like an animated GIF image. If the image is a JPEG image, the image can be changed to look like a GIF animation. If the image is a PNG image, the image can be changed to look like a GIF animation. An attacker can do this by using a malicious GIF image and a special JavaScript function called “PNGOut”. The attacker can then submit the image to the component via a web browser. Since the component is running in a web browser, the component will run the malicious image in a web browser instead of in the component. The malicious image will be able to cause a Denial of Service (DoS) attack. An attacker can use a malicious GIF image to change the image in memory to look like an animated GIF. An attacker can use special JavaScript function called “PNGOut” to convert the image in memory to a GIF and change the image in memory to look like an animated GIF.

Vulnerable code

If the component is running in a web browser, the component will run the malicious image in a web browser instead of in the component. The malicious image will be able to cause a Denial of Service (DoS) attack.

Vulnerability Introduction

This vulnerability is a Denial of Service (DoS) vulnerability. This vulnerability can be exploited by an unauthenticated attacker that has the ability to read or write to the directory that contains an image in memory. If the file is a GIF image, the image can be changed to look like a GIF animation. If the file is a JPEG image, the image can be changed to look like a GIF animation. If the file is a PNG image, the image can be changed to look like a GIF animation. An attacker can do this by using a malicious GIF image and special JavaScript function called “PNGOut”. The attacker can then submit the image to the component via a web browser. Since the component is running in a web browser, it will run malicious images in place of real images without notifying user or administrator that there is anything wrong with this process. The malicious images will cause Denial of Service (DoS) attacks when used on certain functions within components.

The vulnerability was discovered through the use of a Google search for “ImageIO JavaScript API”, and was identified by analyzing the ImageIO JavaScript API.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe