CVE-2020-36328: Buffer Overflow
First published: Tue May 04 2021(Updated: )
A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/libwebp | 0.6.1-2+deb10u1 0.6.1-2+deb10u3 0.6.1-2.1+deb11u2 1.2.4-0.2+deb12u1 1.3.2-0.3 | |
| Webmproject Libwebp | <1.0.1 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| NetApp ONTAP Select Deploy administration utility | ||
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Apple iPadOS | =14.7 | |
| Apple iPhone OS | =14.7 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 | |
| redhat/libwebp | <1.0.1 | 1.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.chromium.org/p/webp/issues/detail?id=383
- https://chromium.googlesource.com/webm/libwebp/+/71ed73cf86132394ea25ae9c7ed431e0d71043f5
- https://security-tracker.debian.org/tracker/CVE-2020-36328
- http://seclists.org/fulldisclosure/2021/Jul/54
- https://bugzilla.redhat.com/show_bug.cgi?id=1956829
- https://lists.debian.org/debian-lts-announce/2021/06/msg00005.html
- https://lists.debian.org/debian-lts-announce/2021/06/msg00006.html
- https://security.netapp.com/advisory/ntap-20211112-0001/
- https://support.apple.com/kb/HT212601
- https://www.debian.org/security/2021/dsa-4930
- https://exchange.xforce.ibmcloud.com/vulnerabilities/202254
- https://www.ibm.com/support/pages/node/6493729 (Advisory)
- https://chromium.googlesource.com/webm/libwebp/+/dad31750e374eff8e02fb467eb562d4bf236ed6e
- https://chromium.googlesource.com/webm/libwebp/+/v1.0.1
- https://access.redhat.com/errata/RHSA-2021:2260
- https://access.redhat.com/security/cve/cve-2020-36328
- https://access.redhat.com/errata/RHSA-2021:2328
- https://access.redhat.com/errata/RHSA-2021:2354
- https://access.redhat.com/errata/RHSA-2021:2365
- https://access.redhat.com/errata/RHSA-2021:2364
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2020-36328.
What is the severity of CVE-2020-36328?
The severity of CVE-2020-36328 is critical with a CVSS score of 9.8.
How does CVE-2020-36328 impact system security?
CVE-2020-36328 poses a threat to data confidentiality, integrity, and system availability.
Which software versions are affected by CVE-2020-36328?
Versions before 1.0.1 of libwebp are affected by CVE-2020-36328.
Where can I find more information about CVE-2020-36328?
You can find more information about CVE-2020-36328 in the provided references.
- collector/security-tracker-debian
- agent/type
- agent/references
- agent/weakness
- agent/remedy
- agent/severity
- agent/author
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-36328
- package-manager/debian
- vendor/webmproject
- canonical/webmproject libwebp
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- vendor/netapp
- canonical/netapp ontap select deploy administration utility
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/apple
- canonical/apple ipados
- version/apple ipados/14.7
- canonical/apple iphone os
- version/apple iphone os/14.7
- vendor/ibm
- canonical/ibm cloud pak for security (cp4s)
- version/ibm cloud pak for security (cp4s)/1.7.2.0
- version/ibm cloud pak for security (cp4s)/1.7.1.0
- version/ibm cloud pak for security (cp4s)/1.7.0.0
- package-manager/redhat