Multiple vulnerabilities in Dropbox lepton
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2018-20819 CVE-2018-20820 CVE-2018-12108 CVE-2017-8891 CVE-2017-7448 |
| CWE-ID | CWE-119 CWE-190 CWE-20 CWE-369 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
lepton Other software / Other software solutions |
| Vendor | Dropbox |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU35975
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-20819
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
io/ZlibCompression.cc in the decompression component in Dropbox Lepton 1.2.1 allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact by crafting a jpg image file. The root cause is a missing check of header payloads that may be (incorrectly) larger than the maximum file size.
MitigationInstall update from vendor's website.
Vulnerable software versionslepton: 1.2.1
External linkshttp://github.com/dropbox/lepton/issues/112
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Integer overflow
EUVDB-ID: #VU35976
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-20820
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
read_ujpg in jpgcoder.cc in Dropbox Lepton 1.2.1 allows attackers to cause a denial-of-service (application runtime crash because of an integer overflow) via a crafted file.
MitigationInstall update from vendor's website.
Vulnerable software versionslepton: 1.2.1
External linkshttp://github.com/dropbox/lepton/commit/6a5ceefac1162783fffd9506a3de39c85c725761
http://github.com/dropbox/lepton/issues/111
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU37061
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-12108
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in Dropbox Lepton 1.2.1. The validateAndCompress function in validation.cc allows remote attackers to cause a denial of service (SIGFPE and application crash) via a malformed file.
MitigationInstall update from vendor's website.
Vulnerable software versionslepton: 1.2.1
External linkshttp://github.com/dropbox/lepton/issues/107
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU39057
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8891
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
Dropbox Lepton 1.2.1 allows DoS (SEGV and application crash) via a malformed lepton file because the code does not ensure setup of a correct number of threads.
MitigationInstall update from vendor's website.
Vulnerable software versionslepton: 1.2.1
External linkshttp://openwall.com/lists/oss-security/2017/05/10/1
http://github.com/dropbox/lepton/commit/82167c144a322cc956da45407f6dce8d4303d346
http://github.com/dropbox/lepton/issues/87
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Division by zero
EUVDB-ID: #VU39270
Risk: Medium
CVSSv3.1: 5.1 [AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2017-7448
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to divide-by-zero error within The allocate_channel_framebuffer function in uncompressed_components.hh in Dropbox Lepton 1.2.1. A remote attacker can perform a denial of service (divide-by-zero error and application crash) via a malformed JPEG image.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionslepton: 1.2.1
External linkshttp://www.securityfocus.com/bid/97490
http://github.com/dropbox/lepton/commit/7789d99ac156adfd7bbf66e7824bd3e948a74cf7
http://github.com/dropbox/lepton/issues/86
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
