CVE-2021-3272

Public on 2021-01-27

Modified on 2024-02-12

Description

jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components.

Severity

Medium

CVSS v3 Base Score

5.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 1	jasper	2023-04-13	ALAS-2023-1733	Fixed
Amazon Linux 2 - Core	jasper	2023-04-13	ALAS2-2023-2018	Fixed
Amazon Linux 2023	jasper			Not Affected

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
NVD	CVSSv2	4.3	AV:N/AC:M/Au:N/C:N/I:N/A:P
NVD	CVSSv3	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

Red Hat: CVE-2021-3272 Mitre: CVE-2021-3272