Risk | High |
Patch available | YES |
Number of vulnerabilities | 5 |
CVE-ID | CVE-2019-12214 CVE-2019-12213 CVE-2019-12212 CVE-2019-12211 CVE-2021-33367 |
CWE-ID | CWE-125 CWE-400 CWE-122 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
FreeImage Universal components / Libraries / Libraries used by multiple products |
Vendor | FreeImage |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
UPDATED: 29.12.2019
Added vulnerability #4, raised severity level from medium to high.
EUVDB-ID: #VU18604
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12214
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to a boundary condition when processing OpenJPEG files in the j2k_read_ppm_v3() function in j2k.c. A remote attacker can create a specially crafted image file, pass it to the affected application, trigger out-of-bounds read error and read contents of memory on the system.
MitigationInstall update from vendor's SVN.
Vulnerable software versionsFreeImage: 3.18.0
External linkshttp://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU18603
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12213
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error when processing TIFF files in TIFFReadDirectory() function in PluginTIFF.cpp. A remote attacker can pass a specially crafted TIFF file to the affected application, trigger resource exhaustion and perform a denial of service (DoS) attack. MitigationInstall update from vendor's SVN.
Vulnerable software versionsFreeImage: 3.18.0
External linkshttp://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU18602
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12212
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in StreamCalcIFDSize() function in JXRMeta.c file when processing JPEG-XR (JXR) image files. A remote attacker can create a specially crafted JPEG-XR (JXR) image file, trigger resource exhaustion and perform a denial of service (DoS) attack. MitigationInstall update from vendor's SVN.
Vulnerable software versionsFreeImage: 3.18.0
External linkshttp://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU23833
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12211
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the load() function of the PluginTIFF.cpp file. A remote attacker can can create a specially crafted TIFF file, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's SVN.
Vulnerable software versionsFreeImage: 3.18.0
External linkshttp://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUWVVP67FYM4GMWD7TPQ7C7JPPRUZHYE/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZ7KBYPPNRMX7RRWVJSX4T63E3TFB6TG/
http://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU79716
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-33367
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition when handling JXR files. A remote attacker can create a specially crafted file, pass it to the application, trigger an out-of-bounds read error and perform a denial of service attack.
Install update from vendor's SVN.
Vulnerable software versionsFreeImage: 3.18.0
External linkshttp://sourceforge.net/p/freeimage/discussion/36109/thread/1a4db03d58/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AXWMZOYJKXWOEEUV7ZKW4BX772F5P2HL/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXJ4QSLSK4HLH5ZDMDC42F7XLWLFADRD/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEG5FTVLVSO26TEEYKORM42WZ4LEHIJB/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.