CVE-2018-20622
published 2018-12-31CVE-2018-20622: JasPer 2.0.14 has a memory leak in base/jas_malloc.c in libjasper.a when "--output-format jp2" is used.
PriorityP425medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EPSS
2.90%
85.2th percentile
JasPer 2.0.14 has a memory leak in base/jas_malloc.c in libjasper.a when "--output-format jp2" is used.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| jasper_project | jasper | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv6.5MEDIUM
vendor_oracle6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v9q8-5383-5fmx: JasPer 2
ghsa_unreviewed·2022-05-13
CVE-2018-20622 [MEDIUM] CWE-772 GHSA-v9q8-5383-5fmx: JasPer 2
JasPer 2.0.14 has a memory leak in base/jas_malloc.c in libjasper.a when "--output-format jp2" is used.
OSV
CVE-2018-20622: JasPer 2
osv·2018-12-31·CVSS 6.5
CVE-2018-20622 [MEDIUM] CVE-2018-20622: JasPer 2
JasPer 2.0.14 has a memory leak in base/jas_malloc.c in libjasper.a when "--output-format jp2" is used.
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Installation (JasPer) — CVE-2018-20622
vendor_oracle·2020-04-15·CVSS 6.5
CVE-2018-20622 [MEDIUM] Oracle Oracle Fusion Middleware Risk Matrix: Installation (JasPer) — CVE-2018-20622
Oracle Oracle Fusion Middleware Risk Matrix: Installation (JasPer) vulnerability
CVE: CVE-2018-20622
CVSS: 6.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2020 (APR 2020)
Red Hat
jasper: memory leak in jpc_dec_decodepkt()
vendor_redhat·2018-12-31·CVSS 6.5
CVE-2018-20622 [MEDIUM] CWE-400 jasper: memory leak in jpc_dec_decodepkt()
jasper: memory leak in jpc_dec_decodepkt()
JasPer 2.0.14 has a memory leak in base/jas_malloc.c in libjasper.a when "--output-format jp2" is used.
A vulnerability was found in Jasper due to a memory leak in base/jas_malloc.c in libjasper.a when the --output-format jp2 option is used, an attacker could exploit this flaw by persuading a victim to open a specially crafted file, leading to a memory leak that could result in the exposure of sensitive information.
Statement: This vulnerability was rated as LOW severity because it requires the victim to open a specially crafted file. While it does not allow full system compromise, it may lead to the leakage of sensitive information through memory consumption.
Package: netpbm (Red Hat Enterprise Linux 5) - Out of support scope
Package: jasper
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-20622 jasper: memory leak in base/jas_malloc.c in libjasper.a [fedora-all]
bugzilla·2019-01-09·CVSS 6.5
CVE-2018-20622 [MEDIUM] CVE-2018-20622 jasper: memory leak in base/jas_malloc.c in libjasper.a [fedora-all]
CVE-2018-20622 jasper: memory leak in base/jas_malloc.c in libjasper.a [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2018-20622 mingw-jasper: jasper: memory leak in base/jas_malloc.c in libjasper.a [epel-7]
bugzilla·2019-01-09·CVSS 6.5
CVE-2018-20622 [MEDIUM] CVE-2018-20622 mingw-jasper: jasper: memory leak in base/jas_malloc.c in libjasper.a [epel-7]
CVE-2018-20622 mingw-jasper: jasper: memory leak in base/jas_malloc.c in libjasper.a [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template
Bugzilla
CVE-2018-20622 jasper: memory leak in jpc_dec_decodepkt()
bugzilla·2019-01-09·CVSS 7.5
CVE-2018-20622 [HIGH] CVE-2018-20622 jasper: memory leak in jpc_dec_decodepkt()
CVE-2018-20622 jasper: memory leak in jpc_dec_decodepkt()
A flaw was found in JasPer 2.0.14. A memory leak in base/jas_malloc.c in libjasper.a when "--output-format jp2" is used.
References:
https://github.com/mdadams/jasper/issues/193
Discussion:
Created jasper tracking bugs for this issue:
Affects: fedora-all [bug 1664873]
Created mingw-jasper tracking bugs for this issue:
Affects: epel-7 [bug 1664875]
Affects: fedora-all [bug 1664874]
---
The main problem demonstrated by the reproducer in the upstream bug report is a duplicate of CVE-2017-13748 (see bug 1488961). Besides the tile data memory leak, the reproducer also triggers a minor memory leak in jpc_dec_decodepkt(), which calls jpc_bitstream_sopen(), which does memory allocation, but does not do matching jpc_bitstream_clos
Bugzilla
CVE-2018-20622 mingw-jasper: jasper: memory leak in base/jas_malloc.c in libjasper.a [fedora-all]
bugzilla·2019-01-09·CVSS 6.5
CVE-2018-20622 [MEDIUM] CVE-2018-20622 mingw-jasper: jasper: memory leak in base/jas_malloc.c in libjasper.a [fedora-all]
CVE-2018-20622 mingw-jasper: jasper: memory leak in base/jas_malloc.c in libjasper.a [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multipl
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00082.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00085.htmlhttp://www.securityfocus.com/bid/106373https://github.com/mdadams/jasper/issues/193https://lists.debian.org/debian-lts-announce/2019/01/msg00003.htmlhttps://www.oracle.com/security-alerts/cpuapr2020.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00082.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00085.htmlhttp://www.securityfocus.com/bid/106373https://github.com/mdadams/jasper/issues/193https://lists.debian.org/debian-lts-announce/2019/01/msg00003.htmlhttps://www.oracle.com/security-alerts/cpuapr2020.html
2018-12-31
Published