#VU30332 Code Injection in gThumb - CVE-2019-20326
Published: March 16, 2020 / Updated: July 17, 2020
Vulnerability identifier: #VU30332
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-20326
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
gThumb
gThumb
Software vendor:
Gnome Development Team
Gnome Development Team
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in a crafted JPEG file. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Update to version 3.8.3.
External links
- https://github.com/Fysac/CVE-2019-20326
- https://gitlab.gnome.org/GNOME/gthumb/commit/4faa5ce2358812d23a1147953ee76f59631590ad
- https://gitlab.gnome.org/GNOME/gthumb/commit/ca8f528209ab78935c30e42fe53bdf1a24f3cb44
- https://gitlab.gnome.org/GNOME/gthumb/commits/master/extensions/cairo_io/cairo-image-surface-jpeg.c