Vulnerability Details CVE-2018-19541
An issue was discovered in JasPer 1.900.8, 1.900.9, 1.900.10, 1.900.11, 1.900.12, 1.900.13, 1.900.14, 1.900.15, 1.900.16, 1.900.17, 1.900.18, 1.900.19, 1.900.20, 1.900.21, 1.900.22, 1.900.23, 1.900.24, 1.900.25, 1.900.26, 1.900.27, 1.900.28, 1.900.29, 1.900.30, 1.900.31, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16. There is a heap-based buffer over-read of size 8 in the function jas_image_depalettize in libjasper/base/jas_image.c.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 60.0%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.8
References
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00025.html
- https://github.com/mdadams/jasper/issues/182
- https://lists.debian.org/debian-lts-announce/2019/01/msg00003.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00025.html
- https://github.com/mdadams/jasper/issues/182
- https://lists.debian.org/debian-lts-announce/2019/01/msg00003.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
Products affected by CVE-2018-19541
-
cpe:2.3:a:jasper_project:jasper:2.0.14
-
cpe:2.3:o:canonical:ubuntu_linux:14.04
-
cpe:2.3:o:canonical:ubuntu_linux:16.04
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:suse:linux_enterprise_desktop:12
-
cpe:2.3:o:suse:linux_enterprise_server:11
-
cpe:2.3:o:suse:linux_enterprise_server:12