CVE-2020-15389
Severity
6.5MEDIUM
EPSS
0.3%
top 42.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 29
Latest updateMar 15
Description
jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free that can be triggered if there is a mix of valid and invalid files in a directory operated on by the decompressor. Triggering a double-free may also be possible. This is related to calling opj_image_destroy twice.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:HExploitability: 2.2 | Impact: 4.2
Affected Packages4 packages
Also affects: Debian Linux 10.0, 9.0
Patches
🔴Vulnerability Details
5📋Vendor Advisories
6Oracle
▶
Red Hat▶
openjpeg: use-after-free and double-free via a mix of valid and invalid files in a directory operated on by the decompressor↗2020-06-28
💬Community
3Bugzilla▶
CVE-2020-15389 openjpeg: use-after-free and double-free via a mix of valid and invalid files in a directory operated on by the decompressor [fedora-all]↗2020-07-01
Bugzilla▶
CVE-2020-15389 openjpeg: use-after-free and double-free via a mix of valid and invalid files in a directory operated on by the decompressor↗2020-07-01
Bugzilla▶
CVE-2020-15389 openjpeg2: openjpeg: use-after-free and double-free via a mix of valid and invalid files in a directory operated on by the decompressor [epel-all]↗2020-07-01