CVE-2020-36329: Use After Free
First published: Tue May 04 2021(Updated: )
A flaw was found in libwebp in versions before 1.0.1. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/libwebp | 0.6.1-2+deb10u1 0.6.1-2+deb10u3 0.6.1-2.1+deb11u2 1.2.4-0.2+deb12u1 1.3.2-0.3 | |
| Webmproject Libwebp | <1.0.1 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| NetApp ONTAP Select Deploy administration utility | ||
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Apple iPadOS | <14.7 | |
| Apple iPhone OS | <14.7 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 | |
| redhat/libwebp | <1.0.1 | 1.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.chromium.org/p/webp/issues/detail?id=385
- https://chromium.googlesource.com/webm/libwebp/+/569001f19fc81fcb5ab358f587a54c62e7c4665c
- https://security-tracker.debian.org/tracker/CVE-2020-36329
- http://seclists.org/fulldisclosure/2021/Jul/54
- https://bugzilla.redhat.com/show_bug.cgi?id=1956843
- https://lists.debian.org/debian-lts-announce/2021/06/msg00005.html
- https://lists.debian.org/debian-lts-announce/2021/06/msg00006.html
- https://security.netapp.com/advisory/ntap-20211112-0001/
- https://support.apple.com/kb/HT212601
- https://www.debian.org/security/2021/dsa-4930
- https://exchange.xforce.ibmcloud.com/vulnerabilities/202253
- https://www.ibm.com/support/pages/node/6493729 (Advisory)
- https://chromium.googlesource.com/webm/libwebp/+/v1.0.1
- https://access.redhat.com/errata/RHSA-2021:2260
- https://access.redhat.com/security/cve/cve-2020-36329
- https://access.redhat.com/errata/RHSA-2021:2328
- https://access.redhat.com/errata/RHSA-2021:2354
- https://access.redhat.com/errata/RHSA-2021:2365
- https://access.redhat.com/errata/RHSA-2021:2364
Frequently Asked Questions
What is the vulnerability ID of this flaw in libwebp?
The vulnerability ID of this flaw in libwebp is CVE-2020-36329.
What is the severity rating of CVE-2020-36329?
CVE-2020-36329 has a severity rating of 9.8 (Critical).
What is the affected software of CVE-2020-36329?
The affected software includes IBM Cloud Pak for Security (CP4S), Mozilla Firefox ESR, Redhat Enterprise Linux, NetApp ONTAP Select Deploy administration utility, Debian Debian Linux, Apple iPadOS, and Apple iPhone OS.
How does the vulnerability in libwebp impact the system?
The vulnerability in libwebp could allow a remote attacker to execute arbitrary code on the system, obtain sensitive information, or cause a denial of service.
Are there any fixes or patches available for CVE-2020-36329?
Yes, there are fixes and patches available for CVE-2020-36329. It is recommended to update to libwebp version 1.0.1 or later to mitigate this vulnerability.
- collector/security-tracker-debian
- agent/type
- agent/references
- agent/weakness
- agent/remedy
- agent/severity
- agent/description
- agent/author
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/tags
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-36329
- package-manager/debian
- vendor/webmproject
- canonical/webmproject libwebp
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- vendor/netapp
- canonical/netapp ontap select deploy administration utility
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/apple
- canonical/apple ipados
- canonical/apple iphone os
- vendor/ibm
- canonical/ibm cloud pak for security (cp4s)
- version/ibm cloud pak for security (cp4s)/1.7.2.0
- version/ibm cloud pak for security (cp4s)/1.7.1.0
- version/ibm cloud pak for security (cp4s)/1.7.0.0
- package-manager/redhat