An attacker could host a crafted file on a website and trick a user into accessing the file via a web browser. Processing the file using a vulnerable application could cause the application to leak sensitive information.
An attacker could also host a crafted file on a website and trick a user into accessing the file via a web browser. Processing the file using a vulnerable application, for example an image viewer, could cause the application to leak sensitive information.
An attacker could also host a crafted file on a website and trick a user into accessing the file via a web browser. Processing the file using a vulnerable application, for example an image viewer, could cause the application to leak sensitive information. An attacker could host a crafted file on a website and trick a user into accessing the file via a web browser. Processing the file using a vulnerable application, for example an image viewer, could cause the application to leak sensitive information. An attacker could host a crafted file on a website and trick a user into accessing the file via a web browser. Processing the file using a vulnerable application, for example an image viewer, could cause the application to leak sensitive information. An attacker could host a crafted file on a website and trick a user into accessing the file via a web browser. Processing the file using a vulnerable application, for example an image viewer, could cause the application to leak sensitive information
Vulnerability overview
The vulnerability exists in the processing of JPEG images. The issue lies in the JPG2000 library that is used by several applications, including web browsers, to process the image. By crafting a malicious JPG2000 library, an attacker can cause a target application to leak sensitive information.
An attacker could host a crafted file on a website and trick a user into accessing the file via a web browser. Processing the file using a vulnerable application, for example an image viewer, could cause the application to leak sensitive information.
Timeline
Published on: 08/23/2022 16:15:00 UTC
Last modified on: 08/26/2022 16:02:00 UTC
References
- https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913
- https://bugzilla.redhat.com/show_bug.cgi?id=1939156
- https://access.redhat.com/security/cve/CVE-2021-20298
- https://github.com/AcademySoftwareFoundation/openexr/pull/843
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20298