CVE-2020-12268
jbig2dec: heap-based buffer overflow in jbig2_image_compose in jbig2_image.c
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
jbig2_image_compose in jbig2_image.c in Artifex jbig2dec before 0.18 has a heap-based buffer overflow.
La función jbig2_image_compose en el archivo jbig2_image.c en Artifex jbig2dec versiones anteriores a la versión 0.18, tiene un desbordamiento de búfer en la región heap de la memoria.
An integer overflow was found in jbig2dec, which causes an out-of-bounds read/write in the jbig2_image_compose function. This flaw could potentially result in the execution of code on the system. Applications that use jbig2dec with untrusted input may be vulnerable to this flaw. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-04-27 CVE Reserved
- 2020-04-27 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-122: Heap-based Buffer Overflow
- CWE-787: Out-of-bounds Write
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://github.com/ArtifexSoftware/jbig2dec/compare/0.17...0.18 | Third Party Advisory | |
| https://lists.debian.org/debian-lts-announce/2021/10/msg00023.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20332 | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/ArtifexSoftware/jbig2dec/commit/0726320a4b55078e9d8deb590e477d598b3da66e | 2021-11-02 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00034.html | 2021-11-02 | |
| https://access.redhat.com/security/cve/CVE-2020-12268 | 2020-07-21 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1848518 | 2020-07-21 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Artifex Search vendor "Artifex" | Jbig2dec Search vendor "Artifex" for product "Jbig2dec" | < 0.18 Search vendor "Artifex" for product "Jbig2dec" and version " < 0.18" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Affected
| ||||||