CVE-2020-20739Missing Initialization of Resource in Libvips

CWE-909Missing Initialization of ResourceCWE-456Missing Initialization of a VariableCWE-908Use of Uninitialized Resource8 documents6 sources
Severity
5.3MEDIUMNVD
OSV7.5
EPSS
0.2%
top 57.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
LibvipsDebian VipsDebian Linux+1 more
Timeline
PublishedNov 20
Latest updateOct 18

Description

im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips before 8.8.2 has an uninitialized variable which may cause the leakage of remote server path or stack address.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDlibvips/libvips< 8.8.2
debiandebian/vips< vips 8.9.0-1 (bookworm)

Also affects: Debian Linux 9.0, Fedora 32

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
vips vulnerabilities2023-10-18
GHSA
GHSA-62hp-w5vm-g7xm: im_vips2dz in /libvips/libvips/deprecated/im_vips2dz2022-05-24
OSV
CVE-2020-20739: im_vips2dz in /libvips/libvips/deprecated/im_vips2dz2020-11-20

📋Vendor Advisories

2
Ubuntu
VIPS vulnerabilities2023-10-18
Debian
CVE-2020-20739: vips - im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips before 8.8.2 h...2020

📐Framework References

2
CWE
Missing Initialization of a Variable
CWE
Missing Initialization of Resource
CVE-2020-20739 — Missing Initialization of Resource | cvebase