CVE-2016-9391 - OpenCVE

The jpc_bitstream_getbits function in jpc_bs.c in JasPer before 2.0.10 allows remote attackers to cause a denial of service (assertion failure) via a very large integer.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Jasper Project	Jasper

Configuration 1 [-]

cpe:2.3:a:jasper_project:jasper:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2016/11/17/1	Mailing List Patch VDB Entry
http://www.securityfocus.com/bid/94371	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:1208
https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure	Patch Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1396967	Issue Tracking Patch Third Party Advisory VDB Entry
https://github.com/mdadams/jasper/commit/1e84674d95353c64e5c4c0e7232ae86fd6ea813b	Patch Third Party Advisory
https://usn.ubuntu.com/3693-1/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-03-23T18:00:00

Updated: 2018-06-28T09:57:01

Reserved: 2016-11-17T00:00:00

Link: CVE-2016-9391

JSON object: View

NVD Information

Status : Modified

Published: 2017-03-23T18:59:00.740

Modified: 2018-06-29T01:29:01.753

Link: CVE-2016-9391

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-11-17T00:00:00", "descriptions": [{"lang": "en", "value": "The jpc_bitstream_getbits function in jpc_bs.c in JasPer before 2.0.10 allows remote attackers to cause a denial of service (assertion failure) via a very large integer."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-06-28T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1396967"}, {"name": "RHSA-2017:1208", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1208"}, {"name": "[oss-security] 20161117 Re: jasper: multiple assertion failures", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/11/17/1"}, {"name": "USN-3693-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3693-1/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mdadams/jasper/commit/1e84674d95353c64e5c4c0e7232ae86fd6ea813b"}, {"name": "94371", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94371"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-9391", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The jpc_bitstream_getbits function in jpc_bs.c in JasPer before 2.0.10 allows remote attackers to cause a denial of service (assertion failure) via a very large integer."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure", "refsource": "MISC", "url": "https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1396967", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1396967"}, {"name": "RHSA-2017:1208", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1208"}, {"name": "[oss-security] 20161117 Re: jasper: multiple assertion failures", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/11/17/1"}, {"name": "USN-3693-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3693-1/"}, {"name": "https://github.com/mdadams/jasper/commit/1e84674d95353c64e5c4c0e7232ae86fd6ea813b", "refsource": "CONFIRM", "url": "https://github.com/mdadams/jasper/commit/1e84674d95353c64e5c4c0e7232ae86fd6ea813b"}, {"name": "94371", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94371"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-9391", "datePublished": "2017-03-23T18:00:00", "dateReserved": "2016-11-17T00:00:00", "dateUpdated": "2018-06-28T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jasper_project:jasper:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C5899F1-38FD-4D27-96C2-508FFCAAE167", "versionEndIncluding": "2.0.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The jpc_bitstream_getbits function in jpc_bs.c in JasPer before 2.0.10 allows remote attackers to cause a denial of service (assertion failure) via a very large integer."}, {"lang": "es", "value": "La funci\u00f3n jpc_bitstream_getbits en jpc_bs.c en JasPer en versiones anteriores a 2.0.10 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (fallo de aserci\u00f3n) a trav\u00e9s de un entero muy grande."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/617.html\">CWE-617: Reachable Assertion</a>", "id": "CVE-2016-9391", "lastModified": "2018-06-29T01:29:01.753", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-03-23T18:59:00.740", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "VDB Entry"], "url": "http://www.openwall.com/lists/oss-security/2016/11/17/1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94371"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2017:1208"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory", "VDB Entry"], "url": "https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory", "VDB Entry"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1396967"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/mdadams/jasper/commit/1e84674d95353c64e5c4c0e7232ae86fd6ea813b"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/3693-1/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}