CVE-2019-13960 — MEDIUM (5.5)

Vulnerability Description

In libjpeg-turbo 2.0.2, a large amount of memory can be used during processing of an invalid progressive JPEG image containing incorrect width and height values in the image header. NOTE: the vendor's expectation, for use cases in which this memory usage would be a denial of service, is that the application should interpret libjpeg warnings as fatal errors (aborting decompression) and/or set limits on resource consumption or image sizes

CVSS Score

5.5

MEDIUM

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Libjpeg-Turbo	Libjpeg-Turbo	2.0.2

Related Weaknesses (CWE)

CWE-770

References

https://github.com/libjpeg-turbo/libjpeg-turbo/issues/337ExploitThird Party Advisory
https://libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdfExploitPatchVendor Advisory
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/337ExploitThird Party Advisory
https://libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdfExploitPatchVendor Advisory

FAQ

What is CVE-2019-13960?

CVE-2019-13960 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In libjpeg-turbo 2.0.2, a large amount of memory can be used during processing of an invalid progressive JPEG image containing incorrect width and height values in the image header. NOTE: the vendor's...

How severe is CVE-2019-13960?

CVE-2019-13960 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-13960?

Check the references section above for vendor advisories and patch information. Affected products include: Libjpeg-Turbo Libjpeg-Turbo.