CVE-2020-26208

Heap-buffer-overflow in jhead

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

JHEAD is a simple command line tool for displaying and some manipulation of EXIF header data embedded in Jpeg images from digital cameras. In affected versions there is a heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections. Crafted jpeg images can be provided to the user resulting in a program crash or potentially incorrect exif information retrieval. Users are advised to upgrade. There is no known workaround for this issue.

JHEAD es una sencilla herramienta de línea de comandos para la visualización y determinada manipulación de los datos de encabezados EXIF insertados en las imágenes Jpeg de las cámaras digitales. En las versiones afectadas se presenta un desbordamiento del búfer de la pila en jhead-3.04/jpgfile.c:285 ReadJpegSections. Las imágenes jpeg diseñadas pueden ser proporcionadas al usuario resultando en un bloqueo del programa o en la recuperación de información exif potencialmente incorrecta. Se recomienda a usuarios actualizar. No es conocida alguna medida de mitigación adicional para este problema

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-10-01 CVE Reserved
2022-02-02 CVE Published
2024-08-04 CVE Updated
2024-08-04 First Exploit
2024-10-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-787: Out-of-bounds Write

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC
https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1900821	2024-08-04
https://github.com/F-ZhaoYang/jhead/security/advisories/GHSA-7pr6-xq4f-qhgc	2024-08-04

URL	Date	SRC
https://github.com/F-ZhaoYang/jhead/commit/5186ddcf9e35a7aa0ff0539489a930434a1325f4	2022-02-07
https://github.com/Matthias-Wandel/jhead/issues/7	2022-02-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Jhead Project Search vendor "Jhead Project"		Jhead Search vendor "Jhead Project" for product "Jhead"				< 3.04 Search vendor "Jhead Project" for product "Jhead" and version " < 3.04"		-		Affected