CVE-2021-3575

Published: April 3, 2022

A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg.

HIGH
CVSS v3: 7.8

Status

DocFilters Release	Package	State	Justification	Comment
25.1	openjpeg (2.5.0)	Not Affected	Code Not Present	not-exploitable: CVE is in opj2_decompress CLI tool not used by docfilters.
24.4	openjpeg (2.5.0)	Not Affected	Code Not Present	not-exploitable: CVE is in opj2_decompress CLI tool not used by docfilters.
24.4.0	openjpeg (2.5.0)	Not Affected	Code Not Present	not-exploitable: CVE is in opj2_decompress CLI tool not used by docfilters.
24.3	openjpeg (2.5.0)	Not Affected	Code Not Present	not-exploitable: CVE is in opj2_decompress CLI tool not used by docfilters.
24.2.1	openjpeg (2.5.0)	Not Affected	Code Not Present	not-exploitable: CVE is in opj2_decompress CLI tool not used by docfilters.
24.2	openjpeg (2.5.0)	Not Affected	Code Not Present	not-exploitable: CVE is in opj2_decompress CLI tool not used by docfilters.
24.1	openjpeg (2.5.0)	Not Affected	Code Not Present	not-exploitable: CVE is in opj2_decompress CLI tool not used by docfilters.
23.3	openjpeg (2.5.0)	Not Affected	Code Not Present	not-exploitable: CVE is in opj2_decompress CLI tool not used by docfilters.
23.2.1	openjpeg (2.4.0)	Not Affected	Code Not Present	not-exploitable: CVE is in opj2_decompress CLI tool not used by docfilters.
23.2	openjpeg (2.4.0)	Not Affected	Code Not Present	not-exploitable: CVE is in opj2_decompress CLI tool not used by docfilters.
23.1	openjpeg (2.4.0)	Not Affected	Code Not Present	not-exploitable: CVE is in opj2_decompress CLI tool not used by docfilters.
22.4	openjpeg (2.4.0)	Not Affected	Code Not Present	not-exploitable: CVE is in opj2_decompress CLI tool not used by docfilters.
22.3	openjpeg (2.4.0)	Needs Triage		not-exploitable: CVE is in opj2_decompress CLI tool not used by docfilters.
22.2	openjpeg (2.4.0)	Needs Triage		not-exploitable: CVE is in opj2_decompress CLI tool not used by docfilters.
22.1	openjpeg (2.4.0)	Needs Triage
21.11.1	openjpeg (2.4.0)	Needs Triage
21.11	openjpeg (2.4.0)	Needs Triage
21.8.1	openjpeg (2.4.0)	Needs Triage
21.8	openjpeg (2.4.0)	Needs Triage
21.5.1	openjpeg (2.4.0)	Needs Triage
21.5.0	openjpeg (2.4.0)	Needs Triage
21.2.0	openjpeg (2.4.0)	Needs Triage
11.4.20	openjpeg (2.3.1)	Needs Triage
11.4.19.3667	openjpeg (2.3.1)	Needs Triage
11.4.18.3599	openjpeg (2.3.1)	Needs Triage
11.4.17	openjpeg (2.3.1)	Needs Triage
11.4.16.3445	openjpeg (2.3.1)	Needs Triage
11.4.15.3368	openjpeg (2.3.1)	Needs Triage
11.4.14.3263	openjpeg (2.3.0)	Needs Triage
11.4.13.3179	openjpeg (2.3.0)	Needs Triage
11.4.12.3054	openjpeg (2.3.0)	Needs Triage
11.4.11.3040	openjpeg (2.3.0)	Needs Triage
11.4.11.2990	openjpeg (2.3.0)	Needs Triage
11.4.10.2934	openjpeg (2.3.0)	Needs Triage
11.4.9.2878	openjpeg (2.3.0)	Needs Triage

Severity score breakdown

Attack Complexity

LOW

Attack Vector

LOCAL

Availability Impact

HIGH

Base Score

7.8

Base Severity

HIGH

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Privileges Required

NONE

Scope

UNCHANGED

User Interaction

REQUIRED

Vector String

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Version

3.1

References

NVD
MITRE