CVE-2024-48854

Medium

Published: 14 January 2025

Published

14 January 2025

Modified

21 January 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0046 64.3th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

Off-by-one error in the TIFF image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause an information disclosure in the context of the process using the image codec.

Security Summary

CVE-2024-48854 is an off-by-one error (CWE-193) in the TIFF image codec within QNX SDP versions 8.0, 7.1, and 7.0. Published on 2025-01-14, this vulnerability enables an unauthenticated attacker to cause information disclosure in the context of the process using the image codec. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact and no impact on integrity or availability.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction required. Exploitation triggers the off-by-one error during TIFF image processing, potentially leaking sensitive data from the memory space of the affected process.

Mitigation details are provided in the BlackBerry advisory at https://support.blackberry.com/pkb/s/article/140334. Security practitioners should consult this reference for patch availability and recommended remediation steps for affected QNX SDP deployments.

Details

CWE(s): CWE-193

Affected Products

blackberry

qnx software development platform

7.0, 7.1, 8.0

References

https://support.blackberry.com/pkb/s/article/140334
Vendor Advisory · secure@blackberry.com