#VU33250 Input validation error in JasPer - CVE-2014-8137

Cybersecurity Help s.r.o.

Published: 2014-12-24 | Updated: 2020-08-03

Vulnerability identifier: #VU33250

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-8137

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
JasPer
Client/Desktop applications / Multimedia software

Vendor: The JasPer Project

Description

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file.

Mitigation
Update to version 1.900.2.

Vulnerable software versions

JasPer: 1.900.0 - 1.900.1

External links
https://advisories.mageia.org/MGASA-2014-0539.html
https://lists.opensuse.org/opensuse-updates/2015-01/msg00013.html
https://lists.opensuse.org/opensuse-updates/2015-01/msg00014.html
https://lists.opensuse.org/opensuse-updates/2015-01/msg00017.html
https://packetstormsecurity.com/files/129660/JasPer-1.900.1-Double-Free-Heap-Overflow.html
https://rhn.redhat.com/errata/RHSA-2014-2021.html
https://rhn.redhat.com/errata/RHSA-2015-0698.html
https://rhn.redhat.com/errata/RHSA-2015-1713.html
https://secunia.com/advisories/61747
https://secunia.com/advisories/62311
https://secunia.com/advisories/62615
https://secunia.com/advisories/62619
https://www.debian.org/security/2014/dsa-3106
https://www.mandriva.com/security/advisories?name=MDVSA-2015:012
https://www.mandriva.com/security/advisories?name=MDVSA-2015:159
https://www.securityfocus.com/bid/71742
https://www.securitytracker.com/id/1033459
https://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.538606
https://www.ubuntu.com/usn/USN-2483-1
https://www.ubuntu.com/usn/USN-2483-2
https://www.ocert.org/advisories/ocert-2014-012.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Slackware Linux update for jasper

Input validation error in jasper (Alpine package)

Fedora EPEL 5 update for jasper

Gentoo update for JasPer

Amazon Linux AMI update for jasper

Input validation error in JasPer

Fedora EPEL 7 update for mingw-jasper

Fedora 21 update for mingw-jasper

Fedora 21 update for jasper