ID CVE-2020-15389
Summary jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free that can be triggered if there is a mix of valid and invalid files in a directory operated on by the decompressor. Triggering a double-free may also be possible. This is related to calling opj_image_destroy twice.
References
Vulnerable Configurations
  • cpe:2.3:a:uclouvain:openjpeg:-:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:-:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:1.1:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:1.2:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:1.3:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:1.4:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:1.5:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:1.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:1.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:2.1:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:2.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:2.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:uclouvain:openjpeg:2.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:uclouvain:openjpeg:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:outside_in_technology:8.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:outside_in_technology:8.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:*
CVSS
Base: 5.8 (as of 06-10-2022 - 17:59)
Impact:
Exploitability:
CWE CWE-416
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:P
refmap via4
misc
mlist [debian-lts-announce] 20200710 [SECURITY] [DLA 2277-1] openjpeg2 security update
Last major update 06-10-2022 - 17:59
Published 29-06-2020 - 21:15
Last modified 06-10-2022 - 17:59
Back to Top