Vulnerability CVE-2019-20421

Vulnerability Name:

CVE-2019-20421 (CCN-175538)

Assigned:

2019-09-30

Published:

2019-09-30

Updated:

2021-09-14

Summary:

In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file can result in an infinite loop and hang, with high CPU consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

3.3 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
2.9 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

7.8 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

1.7 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-835
CWE-400

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2019-20421

Source: XF
Type: UNKNOWN
exiv2-cve201920421-dos(175538)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/Exiv2/exiv2/commit/a82098f4f90cd86297131b5663c3dec6a34470e8

Source: CCN
Type: exiv2 GIT Repository
An infinite loop and hang in Exiv2::Jp2Image::readMetadata() #1011

Source: MISC
Type: Exploit, Patch, Third Party Advisory
https://github.com/Exiv2/exiv2/issues/1011

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210830 [SECURITY] [DLA 2750-1] exiv2 security update

Source: UBUNTU
Type: Third Party Advisory
USN-4270-1

Source: DEBIAN
Type: Third Party Advisory
DSA-4958

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-20421

Vulnerable Configuration:

Configuration 1:

cpe:/a:exiv2:exiv2:0.27.2:*:*:*:*:*:*:*

Configuration 2:

cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

Configuration CCN 1:

cpe:/a:exiv2:exiv2:0.27.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201920421	V	CVE-2019-20421	2022-09-02
oval:org.opensuse.security:def:45595	P	Security update for MozillaFirefox (Important) (in QA)	2022-01-17
oval:org.opensuse.security:def:24050	P	Security update for libsndfile (Important)	2022-01-05
oval:org.opensuse.security:def:24001	P	Security update for xen (Moderate)	2021-12-01
oval:org.opensuse.security:def:45596	P	Security update for MozillaFirefox, rust-cbindgen (Important)	2021-10-18
oval:org.opensuse.security:def:61649	P	rsyslog-8.33.1-3.9.1 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:45905	P	Security update for libcroco (Moderate)	2021-09-16
oval:org.opensuse.security:def:23966	P	Security update for openssl-1_0_0 (Low)	2021-09-09
oval:org.opensuse.security:def:23666	P	Security update for xen (Important)	2021-09-06
oval:org.opensuse.security:def:45190	P	Security update for php53 (Important)	2021-09-03
oval:org.opensuse.security:def:47017	P	libexif12-0.6.21-6.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:46983	P	libHX28-3.18-1.18 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47140	P	python-requests-2.8.1-6.11.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:46966	P	hardlink-1.0-6.38 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:46899	P	bash-4.3-78.39 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47435	P	libxml2-2-2.9.4-45.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47109	P	opensc-0.13.0-1.107 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47384	P	libnm-glib-vpn1-1.0.12-12.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47045	P	liblua5_2-32bit-5.2.2-4.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47903	P	tcpdump-4.9.2-14.5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47849	P	perl-Config-IniFiles-2.82-3.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47211	P	autofs-5.0.9-27.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:63513	P	python2-keystoneclient-3.17.0-4.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62169	P	libldap-2_4-2-2.4.46-9.51.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62838	P	yaml-cpp-devel-0.6.1-4.2.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62828	P	rtkit-0.11+git.20130926-1.34 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62168	P	liblcms2-2-2.9-3.3.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62183	P	libnewt0_52-0.52.20-5.35 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62365	P	zsh-5.6-5.17 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62734	P	bluez-devel-5.55-1.57 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63000	P	cross-nvptx-gcc7-7.5.0+r278197-4.25.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62192	P	libpainter0-0.9.13.1-4.9.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:46454	P	libXRes1-1.0.7-3.53 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46652	P	evince-3.10.3-1.213 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46593	P	wireshark-1.10.9-1.11 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:62866	P	openldap2-devel-32bit-2.4.46-7.10 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:61183	P	gzip-1.9-2.21 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46685	P	java-1_7_1-ibm-1.7.1_sr3.10-14.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:61376	P	update-alternatives-1.19.0.4-2.48 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46538	P	ntp-4.2.6p5-24.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46746	P	libmms0-0.6.2-15.8 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:61207	P	libXfixes-devel-5.0.3-1.24 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46534	P	mailman-2.1.17-1.18 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46447	P	kernel-default-3.12.28-4.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46681	P	ipsec-tools-0.8.0-11.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:61184	P	hardlink-1.0+git.e66999f-1.25 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:23910	P	Security update for libwebp (Critical)	2021-06-02
oval:org.opensuse.security:def:23901	P	Security update for graphviz (Critical)	2021-05-19
oval:org.opensuse.security:def:46315	P	Security update for xen (Important)	2021-04-19
oval:org.opensuse.security:def:23548	P	Security update for xorg-x11-server (Important)	2021-04-14
oval:org.opensuse.security:def:23739	P	Security update for python (Important)	2021-02-11
oval:org.opensuse.security:def:23492	P	Security update for openssl (Important)	2020-12-11
oval:org.opensuse.security:def:23483	P	Security update for mutt (Important)	2020-12-07
oval:org.opensuse.security:def:63190	P	xen-4.10.1_04-1.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62917	P	perl-DNS-LDNS-1.7.0-2.22 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61843	P	libmp3lame0-3.100-1.33 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62972	P	perl-Archive-Extract-0.80-1.24 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62967	P	ncurses-devel-32bit-6.1-5.6.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62632	P	gdk-pixbuf-query-loaders-32bit-2.40.0-1.25 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62502	P	NetworkManager-1.10.6-5.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62640	P	gstreamer-plugins-base-devel-1.16.2-2.12 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63645	P	xorg-x11-server-wayland-1.20.3-20.11 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:61973	P	rsync-3.1.3-4.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:24575	P	Security update for libxml2 (Low)	2020-12-01
oval:org.opensuse.security:def:24559	P	Security update for libssh2_org (Moderate)	2020-12-01
oval:org.opensuse.security:def:45178	P	Security update for dnsmasq (Important)	2020-12-01
oval:org.opensuse.security:def:18186	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:23858	P	Security update for python-PyYAML (Important)	2020-12-01
oval:org.opensuse.security:def:63749	P	Security update for bzip2 (Important)	2020-12-01
oval:org.opensuse.security:def:19416	P	Security update for sudo (Important)	2020-12-01
oval:org.opensuse.security:def:45695	P	Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP3) (Important)	2020-12-01
oval:org.opensuse.security:def:25062	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:45608	P	Security update for the Linux Kernel (Live Patch 20 for SLE 12 SP3) (Important)	2020-12-01
oval:org.opensuse.security:def:18452	P	Security update for MozillaFirefox, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:64027	P	Security update for exiv2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:18467	P	Security update for poppler (Moderate)	2020-12-01
oval:org.opensuse.security:def:24419	P	Security update for freeradius-server (Important)	2020-12-01
oval:org.opensuse.security:def:18521	P	Security update for rubygem-yard (Important)	2020-12-01
oval:org.opensuse.security:def:24849	P	Security update for exiv2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:45989	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:24494	P	Security update for mariadb (Important)	2020-12-01
oval:org.opensuse.security:def:46247	P	Security update for freeradius-server (Moderate)	2020-12-01
oval:org.opensuse.security:def:24547	P	Security update for sysstat (Moderate)	2020-12-01
oval:org.opensuse.security:def:18059	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:46123	P	Security update for postgresql, postgresql96, postgresql10 and postgresql12 (Moderate)	2020-12-01
oval:org.opensuse.security:def:18101	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:23788	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:24917	P	Security update for jakarta-commons-fileupload (Important)	2020-12-01
oval:org.opensuse.security:def:18778	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:45611	P	Security update for the Linux Kernel (Live Patch 23 for SLE 12 SP3) (Important)	2020-12-01
oval:org.opensuse.security:def:25018	P	Security update for java-1_8_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:18420	P	Security update for java-1_8_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:63942	P	Security update for krb5-appl (Important)	2020-12-01
oval:org.opensuse.security:def:24295	P	Security update for util-linux (Moderate)	2020-12-01
oval:org.opensuse.security:def:18409	P	Security update for libsoup (Important)	2020-12-01
oval:org.opensuse.security:def:24276	P	Security update for libxslt (Moderate)	2020-12-01
oval:org.opensuse.security:def:18509	P	Security update for bluez (Moderate)	2020-12-01
oval:org.opensuse.security:def:24817	P	Security update for openssl (Moderate)	2020-12-01
oval:org.opensuse.security:def:24368	P	Security update for audiofile (Moderate)	2020-12-01
oval:org.opensuse.security:def:46113	P	Security update for sane-backends (Important)	2020-12-01
oval:org.opensuse.security:def:46328	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:46003	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:18684	P	Security update for zziplib (Moderate)	2020-12-01
oval:org.opensuse.security:def:18067	P	Security update for libgme (Important)	2020-12-01
oval:org.opensuse.security:def:24864	P	Security update for wireshark (Important)	2020-12-01
oval:org.opensuse.security:def:18754	P	Security update for bash (Moderate)	2020-12-01
oval:org.opensuse.security:def:25267	P	Security update for exiv2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:45487	P	Security update for wireshark (Moderate)	2020-12-01
oval:org.opensuse.security:def:25004	P	Security update for openjpeg2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:18280	P	Security update for libtirpc (Important)	2020-12-01
oval:org.opensuse.security:def:18310	P	Security update for gd (Moderate)	2020-12-01
oval:org.opensuse.security:def:63992	P	Security update for sudo (Important)	2020-12-01
oval:org.opensuse.security:def:18323	P	Recommended update for apache2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:24206	P	Security update for sane-backends (Important)	2020-12-01
oval:org.opensuse.security:def:46116	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:24179	P	Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)	2020-12-01
oval:org.opensuse.security:def:24305	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:46029	P	Security update for tomcat (Important)	2020-12-01
oval:org.opensuse.security:def:46263	P	Security update for git (Moderate)	2020-12-01
oval:org.opensuse.security:def:45990	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:18651	P	Security update for ghostscript (Moderate)	2020-12-01
oval:org.opensuse.security:def:19207	P	Security update for exiv2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:45177	P	Security update for libvirt (Moderate)	2020-12-01
oval:org.opensuse.security:def:24714	P	Security update for libX11 (Important)	2020-12-01
oval:org.opensuse.security:def:18742	P	Security update for curl (Moderate)	2020-12-01
oval:org.opensuse.security:def:25235	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:45303	P	Security update for procps (Moderate)	2020-12-01
oval:org.opensuse.security:def:18274	P	Security update for Botan (Moderate)	2020-12-01
oval:org.opensuse.security:def:63887	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:18288	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:24157	P	Security update for libX11 (Important)	2020-12-01
oval:org.opensuse.security:def:46036	P	Security update for ruby2.1 (Important)	2020-12-01
oval:org.opensuse.security:def:24141	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:25735	P	Security update for exiv2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:46234	P	Security update for mailman (Important)	2020-12-01
oval:org.opensuse.security:def:18539	P	Security update for polkit (Moderate)	2020-12-01
oval:org.opensuse.security:def:19181	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:24631	P	Security update for kernel-source (Important)	2020-12-01
oval:org.opensuse.security:def:24597	P	Security update for webkit2gtk3 (Important)	2020-12-01
oval:org.opensuse.security:def:18243	P	Security update for java-1_8_0-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:63847	P	Security update for strongswan (Important)	2020-12-01
oval:org.opensuse.security:def:19442	P	Security update for exiv2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:24084	P	Security update for ceph (Important)	2020-12-01
oval:org.opensuse.security:def:45829	P	Security update for libX11 (Important)	2020-12-01
oval:org.opensuse.security:def:24129	P	Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)	2020-12-01
oval:org.opensuse.security:def:25700	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:45721	P	Security update for openwsman (Important)	2020-12-01
oval:org.opensuse.security:def:46175	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:18501	P	Security update for git (Important)	2020-12-01
oval:org.opensuse.security:def:24468	P	Security update for glib2 (Important)	2020-12-01
oval:org.opensuse.security:def:18543	P	Security update for curl (Moderate)	2020-12-01
oval:com.redhat.rhsa:def:20201577	P	RHSA-2020:1577: exiv2 security, bug fix, and enhancement update (Moderate)	2020-04-28
oval:org.opensuse.security:def:126581	P	Security update for exiv2 (Moderate)	2020-04-03
oval:org.opensuse.security:def:87344	P	Security update for exiv2 (Moderate)	2020-04-03
oval:org.opensuse.security:def:89005	P	Security update for exiv2 (Moderate)	2020-04-03
oval:org.opensuse.security:def:126164	P	Security update for exiv2 (Moderate)	2020-04-03
oval:com.ubuntu.bionic:def:2019204210000000	V	CVE-2019-20421 on Ubuntu 18.04 LTS (bionic) - medium.	2020-01-27
oval:com.ubuntu.xenial:def:2019204210000000	V	CVE-2019-20421 on Ubuntu 16.04 LTS (xenial) - medium.	2020-01-27

BACK