Vulnerability CVE-2020-27828

Vulnerability Name:

CVE-2020-27828 (CCN-193630)

Assigned:

2020-11-30

Published:

2020-11-30

Updated:

2022-08-06

Summary:

There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.

CVSS v3 Severity:

7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.8 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.8 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-20
CWE-787
CWE-122
CWE-787

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2020-27828

Source: CCN
Type: Red Hat Bugzilla Bug 1905201
(CVE-2020-27828) - CVE-2020-27828 jasper: heap-based buffer overflow in cp_create() in jpc_enc.c

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1905201

Source: XF
Type: UNKNOWN
jasper-cve202027828-bo(193630)

Source: CCN
Type: jasper GIT Repository
Avoid maxrlvls more than upper bound to cause heap-buffer-overflow

Source: MISC
Type: Exploit, Third Party Advisory
https://github.com/jasper-software/jasper/issues/252

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-c549cf2462

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-596e40f29c

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-0a6290f865

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-2b151590d9

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Vulnerable Configuration:

Configuration 1:

cpe:/a:jasper_project:jasper:*:*:*:*:*:*:*:* (Version < 2.0.23)

Configuration 2:

cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

Configuration CCN 1:

cpe:/a:jasper_project:jasper:2.0.22:-:*:*:*:*:*:*

AND

cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7602	P	libjasper4-2.0.14-150000.3.28.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7940	P	libjasper-devel-2.0.14-150000.3.28.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:93151	P	(Important)	2022-07-08
oval:org.opensuse.security:def:93304	P	(Important)	2022-07-06
oval:org.opensuse.security:def:3557	P	libXfixes3-32bit-5.0.1-7.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3017	P	audiofile-0.3.6-11.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3319	P	pam_u2f-1.0.8-3.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:1702	P	Security update for salt (Important)	2022-06-24
oval:org.opensuse.security:def:94647	P	libjasper4-2.0.14-150000.3.25.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94669	P	libnewt0_52-0.52.20-5.35 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94949	P	libjasper-devel-2.0.14-150000.3.25.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94823	P	ruby2.5-rubygem-nokogiri-1.8.5-150400.12.4 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:143	P	libjasper4-2.0.14-3.19.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:1072	P	Security update for fribidi (Moderate)	2022-05-25
oval:org.opensuse.security:def:99196	P	(Important)	2022-03-30
oval:org.opensuse.security:def:100101	P	(Important)	2022-03-23
oval:org.opensuse.security:def:112453	P	jasper-2.0.33-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:5939	P	Security update for chrony (Moderate)	2021-12-22
oval:com.redhat.rhsa:def:20214235	P	RHSA-2021:4235: jasper security update (Moderate)	2021-11-09
oval:org.opensuse.security:def:101536	P	Security update for libvirt (Moderate)	2021-11-05
oval:org.opensuse.security:def:105957	P	jasper-2.0.33-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:102200	P	Security update for libvirt (Moderate)	2021-08-23
oval:org.opensuse.security:def:101382	P	libxmltooling-devel-3.1.0-1.26 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62161	P	libjasper4-2.0.14-3.19.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:71902	P	libjasper4-2.0.14-3.19.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62791	P	libjasper-devel-2.0.14-3.19.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72510	P	libjasper-devel-2.0.14-3.19.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:100919	P	libjasper4-2.0.14-3.19.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101197	P	libjasper-devel-2.0.14-3.19.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:99391	P	(Important)	2021-06-24
oval:org.opensuse.security:def:111225	P	Security update for jasper (Important)	2021-02-18
oval:org.opensuse.security:def:31728	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:55847	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:83231	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:127216	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:23743	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:44705	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:108866	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:10391	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:92051	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:97219	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:8700	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:65267	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:99001	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:34023	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:58897	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:86192	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:29469	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:52006	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:81102	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:117716	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:41372	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:74335	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:92839	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:9641	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:69980	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:99789	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:88561	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:32257	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:57164	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:84263	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:24018	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:45802	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:38151	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:92246	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:8890	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:67028	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:34627	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:59588	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:86721	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:30024	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:54759	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:82143	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:125651	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:21409	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:76096	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:92998	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:108048	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:9840	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:70341	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:4178	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:89243	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:33074	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:57551	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:84721	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:26191	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:51162	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:5178	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:38970	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:92441	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:9085	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:69587	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:59846	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:87538	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:31341	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:55292	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:82676	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:126819	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:23174	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:43400	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:108202	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:10201	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:70531	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:64646	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:89501	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:33765	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:58080	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:85805	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:28936	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:51731	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:95487	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:117562	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:40275	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:73768	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:92640	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:9447	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:69781	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:99590	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:60450	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:88244	P	Security update for jasper (Important)	2021-02-16

BACK