CVE-2020-27844 — Improper Input Validation in Openjpeg

CWE-20 — Improper Input Validation CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write10 documents10 sources

Severity

7.8HIGHNVD

EPSS

0.8%

top 26.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Uclouvain Openjpeg Debian Linux Oracle Outside IN Technology +1 more

Timeline

PublishedJan 5

Latest updateFeb 12

Description

A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. This flaw allows an attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

▶NVDuclouvain/openjpeg< 2.4.0

▶Alpineuclouvain/openjpeg< 2.4.0-r0+13

▶CVEListV5uclouvain/openjpegopenjpeg 2.4.0

▶Palo Altopaloalto/pan-os

▶NVDoracle/outside_in_technology8.5.5

Also affects: Debian Linux 9.0

Patches

Patch: bugzilla.redhat.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-p652-vj2w-8mcw: A flaw was found in openjpeg's src/lib/openjp2/t2↗2022-05-24

▶

OSV

CVE-2020-27844: A flaw was found in openjpeg's src/lib/openjp2/t2↗2021-01-05

▶

CVEList

CVE-2020-27844: A flaw was found in openjpeg's src/lib/openjp2/t2↗2021-01-05

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2025-02-12

▶

Oracle

Oracle Oracle Supply Chain Risk Matrix: Security (OpenJPEG) — CVE-2020-27844↗2023-01-15

▶

Microsoft

Chromium CVE-2020-27844: Heap buffer overflow in OpenJPEG↗2021-03-09

▶

Chrome

Stable Channel Update for Desktop: CVE-2021-21180↗2021-03-02

▶

Red Hat

openjpeg: heap-based buffer overflow in opj_t2_encode_packet function in openjp2/t2.c↗2020-12-02

▶