Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.8
CVSSv2

CVE-2016-8332

Published: 28/10/2016 Updated: 19/04/2022
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 605
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Uclouvain

Vulnerability Summary

A buffer overflow in OpenJPEG 2.1.1 causes arbitrary code execution when parsing a crafted image. An exploitable code execution vulnerability exists in the jpeg2000 image file format parser as implemented in the OpenJpeg library. A specially crafted jpeg2000 file can cause an out of bound heap write resulting in heap corruption leading to arbitrary code execution. For a successful attack, the target user needs to open a malicious jpeg2000 file. The jpeg2000 image file format is mostly used for embedding images inside PDF documents and the OpenJpeg library is used by a number of popular PDF renderers making PDF documents a likely attack vector.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

uclouvain openjpeg 2.1.1

Vendor Advisories

Debian Security Advisories: DSA-3768-1 openjpeg2 -- security update
Multiple vulnerabilities in OpenJPEG, a JPEG 2000 image compression / decompression library, may result in denial of service or the execution of arbitrary code if a malformed JPEG 2000 file is processed For the stable distribution (jessie), these problems have been fixed in version 210-2+deb8u2 For the unstable distribution (sid), these problem ...
Red Hat: CVE-2016-8332
A buffer overflow in OpenJPEG 211 causes arbitrary code execution when parsing a crafted image An exploitable code execution vulnerability exists in the jpeg2000 image file format parser as implemented in the OpenJpeg library A specially crafted jpeg2000 file can cause an out of bound heap write resulting in heap corruption leading to arbitrary ...

Github Repositories

https://github.com/kardeiz/jp2k

jp2k Rust bindings to OpenJPEG Supports loading JPEG2000 images into image::DynamicImageRust Forked from framagitorg/leoschwarz/jpeg2000-rust before its GPL-v3 relicensing, with some additional features: Specify decoding area and quality layers in addition to reduction factor Improved OpenJPEG -> DynamicImage loading process Get basic metadata from JPEG2000 he

Recent Articles

Let's not meet up with JPEG 2000 – researchers find security hole in image codec
The Register • Shaun Nichols in San Francisco • 04 Oct 2016

Won't it be strange when we're all fully pwned?

Researchers are warning about a newly discovered security vulnerability in a popular open-source JPEG 2000 parser that could let corrupted image files trigger remote code execution. Cisco-owned security firm Talos warns that by embedding a malformed image file into a web page, PDF file, or email message, an attacker could gain control over the targeted system simply by the user loading the page or message in a vulnerable application. The flaw itself (designated CVE-2016-8332) involves the mishan...

Read more...

References

CWE-119http://www.talosintelligence.com/reports/TALOS-2016-0193/https://github.com/uclouvain/openjpeg/releases/tag/v2.1.2http://www.securityfocus.com/bid/93242http://www.securitytracker.com/id/1038623http://www.debian.org/security/2017/dsa-3768https://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.debian.org/security/./dsa-3768https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2016-8332
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook