{"id": "1337DAY-ID-35895", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "jpeg-xl 0.3.1 Memory Corruption Vulnerability", "description": "", "published": "2021-03-03T00:00:00", "modified": "2021-03-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35895", "reporter": "van Hauser", "references": [], "cvelist": ["CVE-2021-27804"], "immutableFields": [], "lastseen": "2021-12-23T05:51:59", "viewCount": 36, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-27804"]}], "rev": 4}, "score": {"value": 6.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-27804"]}, {"type": "threatpost", "idList": ["THREATPOST:5D5241707AB76ED799696E37D048872A", "THREATPOST:7876640D5EC3E8FE3FE885606BBB1C6D"]}]}, "exploitation": null, "vulnersScore": 6.9}, "sourceHref": "https://0day.today/exploit/35895", "sourceData": "Multiple Vulnerabilities in jpeg-xl\n===================================\nCVE: CVE-2021-27804\nHighest Severity Rating: High\nConfirmed Affected Versions: jpeg-xl v0.3.1 and earlier\nVendor: Joint Photographic Experts Group (JPEG)\nVendor URL: https://gitlab.com/wg1/jpeg-xl\n\n\nSummary and Impact\n------------------\njpeg-xl is the reference implementation by the Joint Photographic\nExperts Group (JPEG) of the new JPEG XL standard.\nMultiple memory corruption vulnerabilities were found and reported in\nthe last 3 months. The security issues were responsively reported to\nthe vendor and were fixed in subsequent version, however silently.\n\nThe changelog does not reflect security issues being fixed:\n\njpeg-xl (0.3.2) urgency=medium\n\n * Bump JPEG XL version to 0.3.2.\n * Fix embedded ICC encoding regression #149.\n\n -- Fri, 12 Feb 2021 21:00:12 +0100\n\njpeg-xl (0.3.1) urgency=medium\n\n * Bump JPEG XL version to 0.3.1.\n\n -- Tue, 09 Feb 2021 09:48:43 +0100\n\njpeg-xl (0.3) urgency=medium\n\n * Bump JPEG XL version to 0.3.\n\n -- Wed, 27 Jan 2021 22:36:32 +0100\n\nAll the while it is already being available e.g. in Arch Linux\n(https://aur.archlinux.org/packages/libjpeg-xl-git/) and FreeBSD\n(https://pkgs.org/download/jpeg-xl) and is currently in the process of\nbeing added to Debian and therefore to Ubuntu and Kali Linux.\n\nHence the need to sit down and write a boring advisory to publish on a\nmailing list instead of doing something more interesting :(\n\nFor anyone interested, the memory corruptions were discovered by using\nthe AFL++ fuzzer (https://github.com/AFLplusplus/AFLplusplus) for just a\nfew hours for testing purposes. The current v0.3.2 release of jpeg-xl\nalso produces writeable memory corruptions when fuzzing for a very short\ntime (with a good starting corpus that is).\n\n\nRecommendation\n--------------\nThe vendor should establish a proper notification on fixed security\nissues in the changelog and not put the Internet at risk.\n", "category": "dos / poc", "verified": true, "_state": {"dependencies": 1647589307, "score": 0}}
