CVE-2021-3272
First published: Wed Jan 27 2021(Updated: )
jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jasper | <2.0.25 | 2.0.25 |
| Jasper Project Jasper | =2.0.24 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jasper-software/jasper/issues/259
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BZFU2F6UW4L2FJE65WJLWGUIELDWCL7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HD2Y2LT4N5ZWCMKYCUIKB3XODNJLOW3J/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1921328
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1921326
- https://github.com/jasper-software/jasper/commit/49174ab592cdfa6f1a929a2ee3d4b4976f9459fd
- https://access.redhat.com/errata/RHSA-2021:4235
- https://access.redhat.com/security/cve/cve-2021-3272
- https://bugzilla.redhat.com/show_bug.cgi?id=1921325
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HD2Y2LT4N5ZWCMKYCUIKB3XODNJLOW3J/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BZFU2F6UW4L2FJE65WJLWGUIELDWCL7/
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-3272.
What is the title of the vulnerability?
The title of the vulnerability is 'jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components.'
What is the severity of CVE-2021-3272?
The severity of CVE-2021-3272 is medium with a severity value of 5.5.
Which software versions are affected by CVE-2021-3272?
JasPer 2.0.24 and Fedora 32 and 33 are affected by CVE-2021-3272.
How can CVE-2021-3272 be fixed?
CVE-2021-3272 can be fixed by upgrading to JasPer version 2.0.25.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3272
- agent/software-canonical-lookup
- agent/author
- agent/references
- agent/severity
- agent/weakness
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/jasper project
- canonical/jasper project jasper
- version/jasper project jasper/2.0.24
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- package-manager/redhat