6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
50.0%
Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp,
pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c
in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of
service (application crash).
Author | Note |
---|---|
ebarretto | Marking emscripten ignored as openjpeg2 code is only for test/example. |
emitorino | Debian binary packages built with BUILD_MJ2:BOOL=OFF According to https://github.com/uclouvain/openjpeg/pull/1168#commitcomment-32961642 the patch https://github.com/uclouvain/openjpeg/commit/e1740e7ce79d0a1676db4da0f4189b64e85f52cb was reverted because it did not compile. Code is not present in upstream master anymore |
mdeslaur | Ubuntu packages are built with BUILD_MJ2:BOOL=OFF, so the affected code isn’t compiled |
ccdm94 | according to the comments available in issue 1328 of openjpeg (https://github.com/uclouvain/openjpeg/issues/1328), this issue will not be fixed by upstream, as the vulnerable components were simply removed from the code in pull request #1350. For this reason, xenial and trusty cannot be patched for this issue in package openjpeg. There was a patch available, which was commit c277159986c, however, it did not compile, and therefore was reverted by upstream. No new fixes for this issue were made available, the solution apparently being the removal of the code that contains the vulnerability. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | blender | < any | UNKNOWN |
ubuntu | 20.04 | noarch | blender | < any | UNKNOWN |
ubuntu | 22.04 | noarch | blender | < any | UNKNOWN |
ubuntu | 23.10 | noarch | blender | < any | UNKNOWN |
ubuntu | 16.04 | noarch | blender | < any | UNKNOWN |
ubuntu | 18.04 | noarch | insighttoolkit4 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | insighttoolkit4 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | insighttoolkit4 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | insighttoolkit4 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | qtwebengine-opensource-src | < any | UNKNOWN |
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
50.0%