Vulnerability Description
im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips before 8.8.2 has an uninitialized variable which may cause the leakage of remote server path or stack address.
CVSS Score
5.3
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Libvips | Libvips | < 8.8.2 |
| Debian | Debian Linux | 9.0 |
| Fedoraproject | Fedora | 32 |
Related Weaknesses (CWE)
References
- https://github.com/libvips/libvips/commit/2ab5aa7bf515135c2b02d42e9a72e4c98e1703Patch
- https://github.com/libvips/libvips/issues/1419ExploitIssue Tracking
- https://lists.debian.org/debian-lts-announce/2020/11/msg00049.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://github.com/libvips/libvips/commit/2ab5aa7bf515135c2b02d42e9a72e4c98e1703Patch
- https://github.com/libvips/libvips/issues/1419ExploitIssue Tracking
- https://lists.debian.org/debian-lts-announce/2020/11/msg00049.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
FAQ
What is CVE-2020-20739?
CVE-2020-20739 is a vulnerability with a CVSS score of 5.3 (MEDIUM). im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips before 8.8.2 has an uninitialized variable which may cause the leakage of remote server path or stack address.
How severe is CVE-2020-20739?
CVE-2020-20739 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-20739?
Check the references section above for vendor advisories and patch information. Affected products include: Libvips Libvips, Debian Debian Linux, Fedoraproject Fedora.