CVE-2020-6851
HIGH EPSS 91.1%
Published Jan 13, 20206y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
Published Jan 13, 2020 6y ago
Last Modified Jun 17, 2026 2w ago
Description
OpenJPEG through 2.3.1 has a heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of opj_j2k_update_image_dimensions validation.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High
Threat Intelligence
EPSS Exploit Probability
91.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-787 Out-of-bounds Write Memory Safety
Affected Products 23
| Vendor | Product | Version | Range |
|---|---|---|---|
| uclouvain | openjpeg | * | ≤2.3.1 |
| fedoraproject | fedora | 30 | any |
| fedoraproject | fedora | 31 | any |
| debian | debian_linux | 8.0 | any |
| debian | debian_linux | 9.0 | any |
| debian | debian_linux | 10.0 | any |
| redhat | enterprise_linux | 8.0 | any |
| redhat | enterprise_linux_desktop | 7.0 | any |
| redhat | enterprise_linux_eus | 7.7 | any |
| redhat | enterprise_linux_eus | 8.1 | any |
| redhat | enterprise_linux_eus | 8.2 | any |
| redhat | enterprise_linux_eus | 8.4 | any |
| redhat | enterprise_linux_server | 7.0 | any |
| redhat | enterprise_linux_server_aus | 7.7 | any |
| redhat | enterprise_linux_server_aus | 8.2 | any |
| redhat | enterprise_linux_server_aus | 8.4 | any |
| redhat | enterprise_linux_server_tus | 7.7 | any |
| redhat | enterprise_linux_server_tus | 8.2 | any |
| redhat | enterprise_linux_server_tus | 8.4 | any |
| redhat | enterprise_linux_workstation | 7.0 | any |
| oracle | georaster | 18c | any |
| oracle | outside_in_technology | 8.5.4 | any |
| oracle | outside_in_technology | 8.5.5 | any |
References 10
- access.redhat.com https://access.redhat.com/errata/RHSA-2020:0262
- access.redhat.com https://access.redhat.com/errata/RHSA-2020:0274
- access.redhat.com https://access.redhat.com/errata/RHSA-2020:0296
- github.com https://github.com/uclouvain/openjpeg/issues/1228
- lists.debian.org https://lists.debian.org/debian-lts-announce/2020/01/msg00025.html
- lists.debian.org https://lists.debian.org/debian-lts-announce/2020/07/msg00008.html
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LACIIDDCKZJEPKTTFILSOSBQL7L3FC6V/
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XBRMI2D3XPVWKE3V52KRBW7BJVLS5LD3/
- debian.org https://www.debian.org/security/2021/dsa-4882
- oracle.com https://www.oracle.com/security-alerts/cpujul2020.html
Remediation
- oracle.com https://www.oracle.com/security-alerts/cpujul2020.html