// For flags

CVE-2020-27823

openjpeg: heap-buffer-overflow write in opj_tcd_dc_level_shift_encode()

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Se encontró un fallo en el codificador de OpenJPEG. Este fallo permite a un atacante pasar una entrada de desplazamiento x,y especialmente diseñada a OpenJPEG para usarla durante la codificación. La mayor amenaza de esta vulnerabilidad es la confidencialidad, la integridad así como la disponibilidad del sistema

An update that fixes 13 vulnerabilities is now available. This update for openjpeg2 fixes the following issues. Fixed integer overflow vulnerability in theopj_t1_encode_cblks function. Fixed integer overflow caused by an out-of-bounds leftshift in the opj_j2k_setup_encoder function. Fixed excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Fixed division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl,and pi_next_rpcl in lib/openjp3d/pi.c. Fixed missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c. Fixed heap-based buffer overflow function t2_encode_packet in lib/openmj2/t2.c. Fixed division-by-zero in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.ci. Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor. Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c. Fixed use-after-free if t a mix of valid and invalid files in a directory operated on by the decompressor. Fixed heap buffer over-write in opj_tcd_dc_level_shift_encode. Fixed integer overflow that allows remote attackers to crash the application. Fixed segmentation fault in opj2_decompress due to uninitialized pointer.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-10-27 CVE Reserved
  • 2021-04-28 CVE Published
  • 2024-08-04 CVE Updated
  • 2025-06-19 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
  • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWE-787: Out-of-bounds Write
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Uclouvain
Search vendor "Uclouvain"
Openjpeg
Search vendor "Uclouvain" for product "Openjpeg"
< 2.4.0
Search vendor "Uclouvain" for product "Openjpeg" and version " < 2.4.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
32
Search vendor "Fedoraproject" for product "Fedora" and version "32"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
33
Search vendor "Fedoraproject" for product "Fedora" and version "33"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected