{
  "threat_severity" : "Moderate",
  "public_date" : "2020-11-30T00:00:00Z",
  "bugzilla" : {
    "description" : "jasper: Heap-based buffer overflow in cp_create() in jpc_enc.c",
    "id" : "1905201",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1905201"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-20->CWE-122->CWE-787",
  "details" : [ "There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.", "A flaw was found in the Jasper tool’s jpc encoder. This flaw allows an attacker to craft input provided to Jasper, causing an arbitrary out-of-bounds write.  The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability." ],
  "acknowledgement" : "Red Hat would like to thank zodf0055980 for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4235",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "jasper-0:2.0.14-5.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Out of support scope",
    "package_name" : "netpbm",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jasper",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "jasper",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "jasper",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-27828\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-27828" ],
  "name" : "CVE-2020-27828",
  "mitigation" : {
    "value" : "This flaw can be mitigated for the Jasper tool by not accepting untrusted inputs to be processed by Jasper or constraining rlevels on those inputs from outside of Jasper.",
    "lang" : "en:us"
  },
  "csaw" : false
}