Vulnerability Details : CVE-2014-8138
Heap-based buffer overflow in the jp2_decode function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 file.
Vulnerability category: OverflowExecute codeDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2014-8138
Probability of exploitation activity in the next 30 days: 23.25%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 96 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-8138
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-8138
-
The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8138
-
http://www.debian.org/security/2014/dsa-3106
Debian -- Security Information -- DSA-3106-1 jasper
-
http://packetstormsecurity.com/files/129660/JasPer-1.900.1-Double-Free-Heap-Overflow.html
JasPer 1.900.1 Double-Free / Heap Overflow ≈ Packet Storm
-
http://www.ubuntu.com/usn/USN-2483-2
USN-2483-2: Ghostscript vulnerabilities | Ubuntu security notices
-
http://www.mandriva.com/security/advisories?name=MDVSA-2015:012
mandriva.com
-
http://lists.opensuse.org/opensuse-updates/2015-01/msg00017.html
openSUSE-SU-2015:0042-1: moderate: Security update for jasper
-
http://lists.opensuse.org/opensuse-updates/2015-01/msg00013.html
openSUSE-SU-2015:0038-1: moderate: Security update for jasper
-
http://www.securityfocus.com/bid/71746
JasPer CVE-2014-8138 Remote Heap Buffer Overflow Vulnerability
-
http://www.ubuntu.com/usn/USN-2483-1
USN-2483-1: JasPer vulnerabilities | Ubuntu security notices
-
https://www.ocert.org/advisories/ocert-2014-012.html
oCERT archiveThird Party Advisory;US Government Resource
-
http://rhn.redhat.com/errata/RHSA-2014-2021.html
RHSA-2014:2021 - Security Advisory - Red Hat Customer Portal
-
http://www.mandriva.com/security/advisories?name=MDVSA-2015:159
mandriva.com
-
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.538606
The Slackware Linux Project: Slackware Security Advisories
-
http://advisories.mageia.org/MGASA-2014-0539.html
Mageia Advisory: MGASA-2014-0539 - Updated jasper packages fix security vulnerabilities
-
http://rhn.redhat.com/errata/RHSA-2015-0698.html
RHSA-2015:0698 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2015-1713.html
RHSA-2015:1713 - Security Advisory - Red Hat Customer Portal
-
http://lists.opensuse.org/opensuse-updates/2015-01/msg00014.html
openSUSE-SU-2015:0039-1: moderate: Security update for jasper
-
http://www.securitytracker.com/id/1033459
Red Hat Enterprise Virtualization Hypervisor Bugs Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, and Deny Service - SecurityTracker
Products affected by CVE-2014-8138
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:jasper_project:jasper:1.900.1:*:*:*:*:*:*:*