CVE-2021-22564 - OpenCVE

For certain valid JPEG XL images with a size slightly larger than an integer number of groups (256x256 pixels) when processing the groups out of order the decoder can perform an out of bounds copy of image pixels from an image buffer in the heap to another. This copy can occur when processing the right or bottom edges of the image, but only when groups are processed in certain order. Groups can be processed out of order in multi-threaded decoding environments with heavy thread load but also with images that contain the groups in an arbitrary order in the file. It is recommended to upgrade past 0.6.0 or patch with https://github.com/libjxl/libjxl/pull/775

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:L/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Libjxl Project	Libjxl

Configuration 1 [-]

cpe:2.3:a:libjxl_project:libjxl:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/libjxl/libjxl/issues/708	Exploit Issue Tracking Third Party Advisory
https://github.com/libjxl/libjxl/pull/775	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Google

Published: 2021-10-14T00:00:00

Updated: 2021-11-01T13:10:15

Reserved: 2021-01-05T00:00:00

Link: CVE-2021-22564

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-11-01T13:15:07.713

Modified: 2021-11-02T18:52:44.650

Link: CVE-2021-22564

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "libjxl", "vendor": "Google LLC", "versions": [{"lessThanOrEqual": "0.6.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-10-14T00:00:00", "descriptions": [{"lang": "en", "value": "For certain valid JPEG XL images with a size slightly larger than an integer number of groups (256x256 pixels) when processing the groups out of order the decoder can perform an out of bounds copy of image pixels from an image buffer in the heap to another. This copy can occur when processing the right or bottom edges of the image, but only when groups are processed in certain order. Groups can be processed out of order in multi-threaded decoding environments with heavy thread load but also with images that contain the groups in an arbitrary order in the file. It is recommended to upgrade past 0.6.0 or patch with https://github.com/libjxl/libjxl/pull/775"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-01T13:10:15", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/libjxl/libjxl/pull/775"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/libjxl/libjxl/issues/708"}], "source": {"discovery": "UNKNOWN"}, "title": "Out of bounds Copy in Libjxl in large image groups", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "DATE_PUBLIC": "2021-10-14T20:00:00.000Z", "ID": "CVE-2021-22564", "STATE": "PUBLIC", "TITLE": "Out of bounds Copy in Libjxl in large image groups"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "libjxl", "version": {"version_data": [{"version_affected": "<=", "version_value": "0.6.0"}]}}]}, "vendor_name": "Google LLC"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "For certain valid JPEG XL images with a size slightly larger than an integer number of groups (256x256 pixels) when processing the groups out of order the decoder can perform an out of bounds copy of image pixels from an image buffer in the heap to another. This copy can occur when processing the right or bottom edges of the image, but only when groups are processed in certain order. Groups can be processed out of order in multi-threaded decoding environments with heavy thread load but also with images that contain the groups in an arbitrary order in the file. It is recommended to upgrade past 0.6.0 or patch with https://github.com/libjxl/libjxl/pull/775"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-122 Heap-based Buffer Overflow"}]}]}, "references": {"reference_data": [{"name": "https://github.com/libjxl/libjxl/pull/775", "refsource": "MISC", "url": "https://github.com/libjxl/libjxl/pull/775"}, {"name": "https://github.com/libjxl/libjxl/issues/708", "refsource": "MISC", "url": "https://github.com/libjxl/libjxl/issues/708"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2021-22564", "datePublished": "2021-10-14T00:00:00", "dateReserved": "2021-01-05T00:00:00", "dateUpdated": "2021-11-01T13:10:15", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libjxl_project:libjxl:*:*:*:*:*:*:*:*", "matchCriteriaId": "7CC7FB7C-9506-45CF-A086-07481ACC16C6", "versionEndIncluding": "0.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "For certain valid JPEG XL images with a size slightly larger than an integer number of groups (256x256 pixels) when processing the groups out of order the decoder can perform an out of bounds copy of image pixels from an image buffer in the heap to another. This copy can occur when processing the right or bottom edges of the image, but only when groups are processed in certain order. Groups can be processed out of order in multi-threaded decoding environments with heavy thread load but also with images that contain the groups in an arbitrary order in the file. It is recommended to upgrade past 0.6.0 or patch with https://github.com/libjxl/libjxl/pull/775"}, {"lang": "es", "value": "Para determinadas im\u00e1genes JPEG XL v\u00e1lidas con un tama\u00f1o ligeramente superior a un n\u00famero entero de grupos (256x256 p\u00edxeles), cuando son procesados los grupos fuera de orden, el descodificador puede llevar a cabo una copia fuera de l\u00edmites de los p\u00edxeles de la imagen desde un b\u00fafer de imagen en la pila a otro. Esta copia puede producirse cuando son procesados los bordes derecho o inferior de la imagen, pero s\u00f3lo cuando los grupos son procesados en un orden determinado. Los grupos pueden ser procesados fuera de orden en entornos de decodificaci\u00f3n multihilo con gran carga de hilos, pero tambi\u00e9n con im\u00e1genes que contienen los grupos en un orden arbitrario en el archivo. Se recomienda actualizar a partir de la versi\u00f3n 0.6.0 o parchear con https://github.com/libjxl/libjxl/pull/775"}], "id": "CVE-2021-22564", "lastModified": "2021-11-02T18:52:44.650", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.4, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2021-11-01T13:15:07.713", "references": [{"source": "cve-coordination@google.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/libjxl/libjxl/issues/708"}, {"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/libjxl/libjxl/pull/775"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-122"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}