CVE-2023-46045

Graphviz 2.36.0 through 9.x before 10.0.1 has an out-of-bounds read via a crafted config6a file. NOTE: exploitability may be uncommon because this file is typically owned by root.

References

Affected packages

Git / gitlab.com/graphviz/graphviz

Affected ranges

Type

GIT

Repo

https://gitlab.com/graphviz/graphviz

Events

Introduced

Fixed

1c6cb9d3de553bd3e3caeea9a61ebe04034d07ee

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.0.1"
        }
    ]
}

Affected versions

2.*

2.38.0

2.40.0

2.40.1

2.42.0

2.42.2

2.42.3

2.42.4

2.44.0

2.44.1

2.46.0

2.46.1

2.47.0

2.47.1

2.47.2

2.47.3

2.48.0

2.49.0

2.49.1

2.49.2

2.49.3

2.50.0

3.*

3.0.0

4.*

4.0.0

5.*

5.0.0

5.0.1

6.*

6.0.1

6.0.2

7.*

7.0.0

7.0.1

7.0.2

7.0.3

7.0.4

7.0.5

7.0.6

7.1.0

8.*

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.1.0

9.*

9.0.0

Other

LAST_LIBGRAPH

TRAVIS_CI_BUILD_EXPERIMENTAL

stable_release_2.*

stable_release_2.42.0

stable_release_2.42.2

stable_release_2.42.3

stable_release_2.42.4

stable_release_2.44.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46045.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "2.36.0"
            },
            {
                "fixed": "10.0.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "2.36.0"
            },
            {
                "last_affected": "9.x"
            }
        ]
    }
]