Vulnerability Details : CVE-2015-5221
Use-after-free vulnerability in the mif_process_cmpt function in libjasper/mif/mif_cod.c in the JasPer JPEG-2000 library before 1.900.2 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file.
Vulnerability category: Memory CorruptionDenial of service
Products affected by CVE-2015-5221
- cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:42.2:*:*:*:*:*:*:*
- cpe:2.3:a:jasper_project:jasper:*:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse_project:leap:42.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-5221
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-5221
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST | |
|
5.5
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2015-5221
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-5221
-
https://github.com/mdadams/jasper/commit/df5d2867e8004e51e18b89865bc4aa69229227b3
CVE-2015-5221 · mdadams/jasper@df5d286 · GitHubIssue Tracking;Patch;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2015/08/20/4
oss-security - Use-after-free (and double-free) in Jasper JPEG-200 (CVE-2015-5221)Mailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2016-11/msg00010.html
openSUSE-SU-2016:2722-1: moderate: Security update for jasperThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/11/msg00023.html
[SECURITY] [DLA 1583-1] jasper security update
-
http://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html
openSUSE-SU-2016:2833-1: moderate: Security update for jasperThird Party Advisory
-
https://usn.ubuntu.com/3693-1/
USN-3693-1: JasPer vulnerabilities | Ubuntu security notices
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UNLVBZWDEXZCFWOBZ3YVEQINMRBRX5QV/
[SECURITY] Fedora 24 Update: jasper-1.900.1-33.fc24 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2016-11/msg00018.html
openSUSE-SU-2016:2737-1: moderate: Security update for jasperThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1208
RHSA-2017:1208 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1255710
1255710 – (CVE-2015-5221) CVE-2015-5221 jasper: use-after-free and double-free flaws in mif_process_cmpt()Issue Tracking;Patch
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AXWV22WGSQFDRPE7G6ECGP3QXS2V2A2M/
[SECURITY] Fedora 23 Update: jasper-1.900.1-34.fc23 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3QIZNTZDXOJR5BTRZKCS3GVHVZV2PWHH/
[SECURITY] Fedora 25 Update: jasper-1.900.1-33.fc25 - package-announce - Fedora Mailing-ListsThird Party Advisory
Jump to