CVE-2018-20584
JasPer Image Format Conversion Denial of Service (DoS)
Description
JasPer 2.0.14 allows remote attackers to cause a denial of service (application hang) via an attempted conversion to the jp2 format.
INFO
Published Date :
Dec. 30, 2018, 5:29 a.m.
Last Modified :
Nov. 21, 2024, 4:01 a.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
3.6
Exploitability Score :
2.8
Affected Products
The following products are affected by CVE-2018-20584
vulnerability.
Even if cvefeed.io
is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2018-20584
.
URL | Resource |
---|---|
http://www.securityfocus.com/bid/106356 | Broken Link Third Party Advisory VDB Entry |
https://github.com/mdadams/jasper/issues/192 | Exploit Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2019/01/msg00003.html | Mailing List Third Party Advisory |
https://security.gentoo.org/glsa/201908-03 | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuapr2020.html | Patch Third Party Advisory |
http://www.securityfocus.com/bid/106356 | Broken Link Third Party Advisory VDB Entry |
https://github.com/mdadams/jasper/issues/192 | Exploit Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2019/01/msg00003.html | Mailing List Third Party Advisory |
https://security.gentoo.org/glsa/201908-03 | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuapr2020.html | Patch Third Party Advisory |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2018-20584
vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2018-20584
vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference http://www.securityfocus.com/bid/106356 Added Reference https://github.com/mdadams/jasper/issues/192 Added Reference https://lists.debian.org/debian-lts-announce/2019/01/msg00003.html Added Reference https://security.gentoo.org/glsa/201908-03 Added Reference https://www.oracle.com/security-alerts/cpuapr2020.html -
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
Modified Analysis by [email protected]
Feb. 28, 2023
Action Type Old Value New Value Removed CVSS V3 NIST AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Changed Reference Type http://www.securityfocus.com/bid/106356 Third Party Advisory, VDB Entry http://www.securityfocus.com/bid/106356 Broken Link, Third Party Advisory, VDB Entry Changed Reference Type https://lists.debian.org/debian-lts-announce/2019/01/msg00003.html Third Party Advisory https://lists.debian.org/debian-lts-announce/2019/01/msg00003.html Mailing List, Third Party Advisory Changed Reference Type https://security.gentoo.org/glsa/201908-03 No Types Assigned https://security.gentoo.org/glsa/201908-03 Third Party Advisory Changed Reference Type https://www.oracle.com/security-alerts/cpuapr2020.html No Types Assigned https://www.oracle.com/security-alerts/cpuapr2020.html Patch, Third Party Advisory Added CPE Configuration OR *cpe:2.3:a:oracle:outside_in_technology:8.5.4:*:*:*:*:*:*:* -
CWE Remap by [email protected]
Aug. 24, 2020
Action Type Old Value New Value Changed CWE CWE-119 NVD-CWE-noinfo -
CVE Modified by [email protected]
Apr. 15, 2020
Action Type Old Value New Value Added Reference https://www.oracle.com/security-alerts/cpuapr2020.html [No Types Assigned] -
CVE Modified by [email protected]
Aug. 09, 2019
Action Type Old Value New Value Added Reference https://security.gentoo.org/glsa/201908-03 [No Types Assigned] -
Modified Analysis by [email protected]
Mar. 05, 2019
Action Type Old Value New Value -
CVE Modified by [email protected]
Jan. 31, 2019
Action Type Old Value New Value Changed Description JasPer 2.0.14 allows remote attackers to cause a denial of service (application hang) via an attempted conversion to the jp2 format, as demonstrated by 00 00 00 0c 6a 50 20 20 0d 0a 87 0a 00 00 00 14 66 74 79 70 6a 70 32 20 00 00 00 00 6a 70 32 20 00 00 00 2d 6a 70 32 68 00 00 00 16 69 68 64 72 00 00 00 20 00 00 00 20 00 03 07 07 00 00 00 00 00 0f 63 6f 6c 72 01 00 00 00 00 00 10 00 00 00 d8 6a 70 32 63 ff 4f ff 51 00 2f 00 00 00 08 00 20 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00 00 00 03 07 01 01 07 01 01 07 01 01 ff 52 00 0c 00 00 00 01 01 00 04 04 00 01 ff 5c 00 04 40 40 ff 64 00 25 00 01 43 72 65 61 74 65 64 20 62 79 20 4f 70 65 6e 4a 50 45 47 20 76 65 72 73 69 6f 6e 20 32 2e 31 2e 30 ff 90 00 0a 00 00 00 00 00 60 00 01 ff 93 dc d7 00 18 80 0e 21 bf fc 2e ea b2 37 ce db f3 05 52 3f 43 2d 2b dd d7 64 c4 3d 67 ff 72 ab 35 2b f8 43 ca b3 5f ca d9 24 85 b4 59 5c 8d 25 fd 77 80 cb 78 1d 87 60 d6 f8 28 6e 8f 65 45 25 ea ff 5d bf 1a 71 13 10 a9 de e4 dd 6b 41 f7 38 dc 66 4f ff d9. JasPer 2.0.14 allows remote attackers to cause a denial of service (application hang) via an attempted conversion to the jp2 format. -
Initial Analysis by [email protected]
Jan. 11, 2019
Action Type Old Value New Value Added CVSS V2 Metadata Victim must voluntarily interact with attack mechanism Added CVSS V2 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Added CVSS V3 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Changed Reference Type http://www.securityfocus.com/bid/106356 No Types Assigned http://www.securityfocus.com/bid/106356 Third Party Advisory, VDB Entry Changed Reference Type https://github.com/mdadams/jasper/issues/192 No Types Assigned https://github.com/mdadams/jasper/issues/192 Exploit, Third Party Advisory Changed Reference Type https://lists.debian.org/debian-lts-announce/2019/01/msg00003.html No Types Assigned https://lists.debian.org/debian-lts-announce/2019/01/msg00003.html Third Party Advisory Added CWE CWE-119 Added CPE Configuration OR *cpe:2.3:a:jasper_project:jasper:2.0.14:*:*:*:*:*:*:* Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* -
CVE Modified by [email protected]
Jan. 03, 2019
Action Type Old Value New Value Added Reference https://lists.debian.org/debian-lts-announce/2019/01/msg00003.html [No Types Assigned] -
CVE Modified by [email protected]
Dec. 31, 2018
Action Type Old Value New Value Added Reference http://www.securityfocus.com/bid/106356 [No Types Assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2018-20584
is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2018-20584
weaknesses.
Exploit Prediction
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
0.33 }} -0.02%
score
0.70618
percentile