Vulnerability Details : CVE-2018-20820
read_ujpg in jpgcoder.cc in Dropbox Lepton 1.2.1 allows attackers to cause a denial-of-service (application runtime crash because of an integer overflow) via a crafted file.
Vulnerability category: OverflowDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2018-20820
Probability of exploitation activity in the next 30 days: 0.06%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 26 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2018-20820
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST |
5.5
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2018-20820
-
The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-20820
-
https://github.com/dropbox/lepton/commit/6a5ceefac1162783fffd9506a3de39c85c725761
fix #111 · dropbox/lepton@6a5ceef · GitHubPatch;Third Party Advisory
-
https://github.com/dropbox/lepton/issues/111
Integer Overflow at src/lepton/jpgcoder.cc:4160 · Issue #111 · dropbox/lepton · GitHubExploit;Patch;Third Party Advisory
Products affected by CVE-2018-20820
- cpe:2.3:a:dropbox:lepton:1.2.1:*:*:*:*:*:*:*