#VU34977 Out-of-bounds write in LEADTOOLS - CVE-2019-5154

Cybersecurity Help s.r.o.

Published: 2019-12-12 | Updated: 2020-08-08

Vulnerability identifier: #VU34977

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-5154

CWE-ID: CWE-787

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
LEADTOOLS
Universal components / Libraries / Software for developers

Vendor: LEAD Technologies, Inc.

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An exploitable heap overflow vulnerability exists in the JPEG2000 parsing functionality of LEADTOOLS 20.0.2019.3.15. A specially crafted J2K image file can cause an out of bounds write of a null byte in a heap buffer, potentially resulting in code execution. An attack can specially craft a J2K image to trigger this vulnerability.

Mitigation
Install update from vendor's website.

Vulnerable software versions

LEADTOOLS: 20.0.2019.3.15

External links
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0945

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in LEADTOOLS