6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
40.8%
NULL Pointer Access in function imagetopnm of convert.c:2226(jp2) in
OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted
j2k file.
Author | Note |
---|---|
ccdm94 | Pull request 895 seems to be an initial attempt to fix this issue. However, pull request 895 was never merged, and instead, five issues which did not include issue 856 were fixed by various commits created by upstream (these can be seen in PR 895) which utilized part of what was being proposed in 895 by an openjpeg contributor. The changes proposed in 895 that were not added by the upstream commits previously mentioned were added to a new pull request, 975, which attempts to fix various issues. Looking at comments in issue 863 it was possible to verify that the fix for CVE-2016-9114 is possibly commit 2fa0fc61f2d (see CVE-2016-9114 for more details). This CVE mentions a vulnerability similar to the one we have here in CVE-2016-9116. Therefore, looking at the patch for CVE-2016-9114 and looking at the changes proposed by PR 975, it seems like the changes in this PR aim to address CVE-2016-9116 in a way similar to the one used to address CVE-2016-9114. PR 975 was merged, however, it introduced regressions. See PR in order to verify changes made after it was merged in order to fix introduced regressions if adding patch. |
eslerm | upstream made 4 commits to src/bin/jp2/convert.c in late July before asking discoverer to retest who said openjpeg was then patched: 2fa0fc6, 784d4d4, c22cbd8, and 00f4568 note that 00f4568 is part of 0394f8d |
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
40.8%