CVE-2016-9573 — MEDIUM (6.5)

Vulnerability Description

An out-of-bounds read vulnerability was found in OpenJPEG 2.1.2, in the j2k_to_image tool. Converting a specially crafted JPEG2000 file to another format could cause the application to crash or, potentially, disclose some data from the heap.

CVSS Score

6.5

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Uclouvain	Openjpeg	2.1.2
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Server Aus	7.3
Redhat	Enterprise Linux Server Eus	7.3
Redhat	Enterprise Linux Workstation	7.0
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-125

References

http://rhn.redhat.com/errata/RHSA-2017-0838.htmlThird Party Advisory
http://www.securityfocus.com/bid/97073Third Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9573ExploitIssue TrackingPatch
https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c4PatchThird Party Advisory
https://github.com/uclouvain/openjpeg/issues/862ExploitThird Party Advisory
https://security.gentoo.org/glsa/201710-26Third Party Advisory
https://www.debian.org/security/2017/dsa-3768Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-0838.htmlThird Party Advisory
http://www.securityfocus.com/bid/97073Third Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9573ExploitIssue TrackingPatch
https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c4PatchThird Party Advisory
https://github.com/uclouvain/openjpeg/issues/862ExploitThird Party Advisory
https://security.gentoo.org/glsa/201710-26Third Party Advisory
https://www.debian.org/security/2017/dsa-3768Third Party Advisory

FAQ

What is CVE-2016-9573?

CVE-2016-9573 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An out-of-bounds read vulnerability was found in OpenJPEG 2.1.2, in the j2k_to_image tool. Converting a specially crafted JPEG2000 file to another format could cause the application to crash or, poten...

How severe is CVE-2016-9573?

CVE-2016-9573 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-9573?

Check the references section above for vendor advisories and patch information. Affected products include: Uclouvain Openjpeg, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Aus, Redhat Enterprise Linux Server Eus.