CVE-2020-20412 — Improper Validation of Array Index in Libvorbis

CWE-129 — Improper Validation of Array Index3 documents3 sources

Severity

6.5MEDIUMNVD

CNA8.8

EPSS

0.4%

top 37.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xiph.org Libvorbis Stepmania

Timeline

PublishedDec 26

Latest updateMay 24

Description

lib/codebook.c in libvorbis before 1.3.6, as used in StepMania 5.0.12 and other products, has insufficient array bounds checking via a crafted OGG file. NOTE: this may overlap CVE-2018-5146.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDxiph.org/libvorbis1.3.2 — 1.3.6

▶NVDstepmania/stepmania5.0.12

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-99w4-659f-342w: lib/codebook↗2022-05-24

▶

CVEList

CVE-2020-20412: lib/codebook↗2020-12-26

▶