Use-After-Free Vulnerability in OpenJPEG Affects Multiple Versions
CVE-2020-15389

6.5MEDIUM

Key Information:

Vendor

Uclouvain

Status
Openjpeg
Vendor
CVE Published:
29 June 2020

What is CVE-2020-15389?

OpenJPEG versions prior to 2.3.1 are susceptible to a use-after-free vulnerability within the jp2/opj_decompress.c component. This issue can be triggered when the decompressor processes a mixture of valid and invalid files from a directory, potentially leading to a double-free scenario through multiple invocations of the opj_image_destroy function. This vulnerability poses a risk to the integrity and stability of applications utilizing OpenJPEG for image processing, as it may allow an attacker to exploit memory management errors, potentially leading to arbitrary code execution or application crashes.

References

https://github.com/uclouvain/openjpeg/issues/1261
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2020/07/msg0...
mailing-listx_refsource_MLIST
https://www.oracle.com/security-alerts/cpuoct2020.html
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.