CVE-2020-27828
published 2020-12-11CVE-2020-27828: There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds…
PriorityP340high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
1.37%
68.5th percentile
There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| jasper_project | jasper | < 2.0.23 | 2.0.23 |
| jasper_project | jasper | — | — |
| jasper_project | jasper | >= 0 < 1.900.1-debian1-2.4ubuntu1.3 | 1.900.1-debian1-2.4ubuntu1.3 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x4rf-6444-7fh8: There's a flaw in jasper's jpc encoder in versions prior to 2
ghsa_unreviewed·2022-05-24
CVE-2020-27828 [HIGH] CWE-20 GHSA-x4rf-6444-7fh8: There's a flaw in jasper's jpc encoder in versions prior to 2
There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.
OSV
jasper vulnerabilities
osv·2021-01-11·CVSS 5.5
CVE-2018-18873 [MEDIUM] jasper vulnerabilities
jasper vulnerabilities
It was discovered that Jasper incorrectly certain files.
An attacker could possibly use this issue to cause a crash.
(CVE-2018-18873)
It was discovered that Jasper incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2018-19542)
It was discovered that Jasper incorrectly handled certain JPC encoders.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-27828)
It was discovered that Jasper incorrectly handled certain images.
An attacker could possibly use this issue to expose sensitive information
or cause a crash.
(CVE-2017-9782)
OSV
CVE-2020-27828: There's a flaw in jasper's jpc encoder in versions prior to 2
osv·2020-12-11·CVSS 7.8
CVE-2020-27828 [HIGH] CVE-2020-27828: There's a flaw in jasper's jpc encoder in versions prior to 2
There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.
Ubuntu
JasPer vulnerabilities
vendor_ubuntu·2021-01-11·CVSS 5.5
CVE-2017-9782 [MEDIUM] JasPer vulnerabilities
Title: JasPer vulnerabilities
Summary: Several security issues were fixed in JasPer.
It was discovered that Jasper incorrectly certain files.
An attacker could possibly use this issue to cause a crash.
(CVE-2018-18873)
It was discovered that Jasper incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2018-19542)
It was discovered that Jasper incorrectly handled certain JPC encoders.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-27828)
It was discovered that Jasper incorrectly handled certain images.
An attacker could possibly use this issue to expose sensitive information
or cause a crash.
(CVE-2017-9782)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
jasper: Heap-based buffer overflow in cp_create() in jpc_enc.c
vendor_redhat·2020-11-30·CVSS 7.8
CVE-2020-27828 [HIGH] CWE-20 jasper: Heap-based buffer overflow in cp_create() in jpc_enc.c
jasper: Heap-based buffer overflow in cp_create() in jpc_enc.c
There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.
A flaw was found in the Jasper tool’s jpc encoder. This flaw allows an attacker to craft input provided to Jasper, causing an arbitrary out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Mitigation: This flaw can be mitigated for the Jasper tool by not accepting untrusted inputs to be processed by Jasper or constraining rlevels on those inputs from outside of Jasper.
Package: netpbm (Red Hat Enter
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.redhat.com/show_bug.cgi?id=1905201https://github.com/jasper-software/jasper/issues/252https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/COBEVDBUO3QTNR6YQBBTIQKNIB6W3MJ2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EBZZ2SNTQ4BSA6PNJCTOAKXIAXYNNF6V/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N4ALB4SXHURLVWKAOKYRNJXPABW3M22M/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPOVZTSIQPW2H4AFLMI3LHJEZGBVEQET/https://bugzilla.redhat.com/show_bug.cgi?id=1905201https://github.com/jasper-software/jasper/issues/252https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/COBEVDBUO3QTNR6YQBBTIQKNIB6W3MJ2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EBZZ2SNTQ4BSA6PNJCTOAKXIAXYNNF6V/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N4ALB4SXHURLVWKAOKYRNJXPABW3M22M/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPOVZTSIQPW2H4AFLMI3LHJEZGBVEQET/
2020-12-11
Published