CVE-2017-14151

2017-09-0500:00:00

ubuntu.com

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.01 Low

EPSS

Percentile

83.4%

JSON

An off-by-one error was discovered in opj_tcd_code_block_enc_allocate_data
in lib/openjp2/tcd.c in OpenJPEG 2.2.0. The vulnerability causes an
out-of-bounds write, which may lead to remote denial of service (heap-based
buffer overflow affecting opj_mqc_flush in lib/openjp2/mqc.c and
opj_t1_encode_cblk in lib/openjp2/t1.c) or possibly remote code execution.

Notes

Author	Note
ccdm94	It seems like the vulnerable code was introduced by commit e05d2901e, which was applied in versions larger than 2.0.0. Therefore, openjpeg packages are not affected by this issue.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchopenjpeg2< 2.3.0-1UNKNOWN
ubuntu16.04noarchopenjpeg2< 2.1.2-1.1+deb9u2build0.1UNKNOWN
ubuntu17.04noarchopenjpeg2< 2.1.2-1.1+deb9u2build0.17.04.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	openjpeg2	< 2.3.0-1	UNKNOWN
ubuntu	16.04	noarch	openjpeg2	< 2.1.2-1.1+deb9u2build0.1	UNKNOWN
ubuntu	17.04	noarch	openjpeg2	< 2.1.2-1.1+deb9u2build0.17.04.1	UNKNOWN