CVE-2015-8662 - OpenCVE

The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before 2.8.4 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Ffmpeg	Ffmpeg

Configuration 1 [-]

cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*

References

Link	Resource
http://git.videolan.org/?p=ffmpeg.git%3Ba=commit%3Bh=75422280fbcdfbe9dc56bde5525b4d8b280f1bc5
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00004.html
http://www.securitytracker.com/id/1034539
https://lists.debian.org/debian-lts-announce/2018/12/msg00009.html

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2015-12-24T01:00:00

Updated: 2018-12-21T10:57:01

Reserved: 2015-12-23T00:00:00

Link: CVE-2015-8662

JSON object: View

NVD Information

Status : Modified

Published: 2015-12-24T01:59:04.990

Modified: 2023-11-07T02:28:38.030

Link: CVE-2015-8662

JSON object: View

Redhat Information

No data.

CWE

CWE-119

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-12-23T00:00:00", "descriptions": [{"lang": "en", "value": "The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before 2.8.4 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-21T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "1034539", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1034539"}, {"name": "[debian-lts-announce] 20181220 [SECURITY] [DLA 1611-1] libav security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00009.html"}, {"name": "openSUSE-SU-2016:0089", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00004.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.videolan.org/?p=ffmpeg.git%3Ba=commit%3Bh=75422280fbcdfbe9dc56bde5525b4d8b280f1bc5"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-8662", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before 2.8.4 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1034539", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1034539"}, {"name": "[debian-lts-announce] 20181220 [SECURITY] [DLA 1611-1] libav security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00009.html"}, {"name": "openSUSE-SU-2016:0089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00004.html"}, {"name": "http://git.videolan.org/?p=ffmpeg.git;a=commit;h=75422280fbcdfbe9dc56bde5525b4d8b280f1bc5", "refsource": "CONFIRM", "url": "http://git.videolan.org/?p=ffmpeg.git;a=commit;h=75422280fbcdfbe9dc56bde5525b4d8b280f1bc5"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-8662", "datePublished": "2015-12-24T01:00:00", "dateReserved": "2015-12-23T00:00:00", "dateUpdated": "2018-12-21T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE1C88AE-133A-4ED2-8079-67148B2BAEBC", "versionEndIncluding": "2.8.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before 2.8.4 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data."}, {"lang": "es", "value": "La funci\u00f3n ff_dwt_decode en libavcodec/jpeg2000dwt.c en FFmpeg en versiones anteriores a la 2.8.4 no valida el n\u00famero de niveles de descomposici\u00f3n antes de proceder con el descifrado Discrete Wavelet Transform, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio (acceso al array fuera de rango) o posiblemente tener otro impacto no especificado a trav\u00e9s de datos JPEG 2000 manipulados."}], "id": "CVE-2015-8662", "lastModified": "2023-11-07T02:28:38.030", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2015-12-24T01:59:04.990", "references": [{"source": "cve@mitre.org", "url": "http://git.videolan.org/?p=ffmpeg.git%3Ba=commit%3Bh=75422280fbcdfbe9dc56bde5525b4d8b280f1bc5"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00004.html"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1034539"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00009.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}