// For flags

CVE-2016-8332

 

Severity Score

7.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A buffer overflow in OpenJPEG 2.1.1 causes arbitrary code execution when parsing a crafted image. An exploitable code execution vulnerability exists in the jpeg2000 image file format parser as implemented in the OpenJpeg library. A specially crafted jpeg2000 file can cause an out of bound heap write resulting in heap corruption leading to arbitrary code execution. For a successful attack, the target user needs to open a malicious jpeg2000 file. The jpeg2000 image file format is mostly used for embedding images inside PDF documents and the OpenJpeg library is used by a number of popular PDF renderers making PDF documents a likely attack vector.

Un desbordamiento de búfer en OpenJPEG 2.1.1 provoca ejecución de código arbitrario cuando se analiza una imagen manipulada. Una vulnerabilidad explotable de ejecución de código existe en el analizador de archivo formato de imagen jpeg2000 como se aplica en la librería OpenJpeg. Un archivo jpeg2000 especialmente manipulado puede provocar una escritura fuera de límites resultando en corrupción de la pila dando lugar a ejecución de código arbitrario. Para un ataque exitoso, el usuario objetivo necesita abrir un archivo jpeg2000 malicioso. El formato de archivo de jpeg2000 es principalmente utilizado para incrustar imágenes dentro de documentos PDF y la librería OpenJpeg es utilizada por un número de visualizadores de PDF populares convirtiendo a los documentos PDF en un vector de ataque probable.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-09-28 CVE Reserved
  • 2016-10-28 CVE Published
  • 2024-06-15 EPSS Updated
  • 2024-08-06 CVE Updated
  • 2024-08-06 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Uclouvain
Search vendor "Uclouvain"
Openjpeg
Search vendor "Uclouvain" for product "Openjpeg"
2.1.1
Search vendor "Uclouvain" for product "Openjpeg" and version "2.1.1"
-
Affected