CVE-2023-39010 – BoofCV 0.42 contains a code injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-39010?

CVE-2023-39010 has a CVSS score of 9.8 (CRITICAL). BoofCV 0.42 contains a code injection vulnerability in the camera calibration file loading component. Attackers can execute arbitrary code by tricking applications into loading malicious calibration files. This affects any application using BoofCV 0.42 for computer vision tasks.

📋 TL;DR

BoofCV 0.42 contains a code injection vulnerability in the camera calibration file loading component. Attackers can execute arbitrary code by tricking applications into loading malicious calibration files. This affects any application using BoofCV 0.42 for computer vision tasks.

💻 Affected Systems

Products:

BoofCV

Versions: 0.42

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using BoofCV's CalibrationIO.load function with untrusted calibration files is vulnerable.

📦 What is this software?

Boofcv by Boofcv

View all CVEs affecting Boofcv →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Application compromise leading to data theft, denial of service, or lateral movement within the affected environment.

🟢

If Mitigated

Limited impact through network segmentation and strict file validation, potentially resulting in application crash only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires tricking the application into loading a malicious calibration file, which could be achieved through various attack vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.43 or later

Vendor Advisory: https://github.com/lessthanoptimal/BoofCV/issues/406

Restart Required: Yes

Instructions:

1. Update BoofCV dependency to version 0.43 or later. 2. Rebuild and redeploy affected applications. 3. Restart all services using BoofCV.

🔧 Temporary Workarounds

Input Validation

all

Implement strict validation of calibration files before processing

Implement file signature validation
Use allowlists for trusted calibration sources

Network Controls

all

Restrict network access to calibration file sources

Configure firewall rules to limit calibration file downloads
Use internal repositories only

🧯 If You Can't Patch

Isolate affected systems in segmented network zones
Implement strict file integrity monitoring for calibration files

🔍 How to Verify

Check if Vulnerable:

Check if BoofCV version 0.42 is in your dependency files (pom.xml, build.gradle, etc.)

Check Version:

grep -r "boofcv" pom.xml build.gradle || java -cp "*" boofcv.Version

Verify Fix Applied:

Verify BoofCV version is 0.43 or later in dependency files and rebuilt applications

📡 Detection & Monitoring

Log Indicators:

Unexpected process execution from BoofCV context
Failed calibration file loading attempts
Stack traces containing CalibrationIO.load

Network Indicators:

Unusual outbound connections from BoofCV processes
Downloads of calibration files from untrusted sources

SIEM Query:

process_name:"java" AND cmdline:"boofcv" AND (event_type:"process_execution" OR event_type:"file_access")

📊 Metadata

CVE ID: CVE-2023-39010

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: July 28, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/lessthanoptimal/BoofCV/issues/406 Exploit,Issue Tracking
https://github.com/lessthanoptimal/BoofCV/issues/406 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39010, you might also want to check these: