#VU35718 Improper access control in jhead - CVE-2019-1010302

Cybersecurity Help s.r.o.

Published: 2019-07-15 | Updated: 2020-08-08

Vulnerability identifier: #VU35718

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-1010302

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jhead
Other software / Other software solutions

Vendor: www.sentex.net

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

jhead 3.03 is affected by: Incorrect Access Control. The impact is: Denial of service. The component is: iptc.c Line 122 show_IPTC(). The attack vector is: the victim must open a specially crafted JPEG file.

Mitigation
Install update from vendor's website.

Vulnerable software versions

jhead: 3.03

External links
https://bugzilla.redhat.com/show_bug.cgi?id=1679978
https://lists.debian.org/debian-lts-announce/2019/12/msg00037.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WVQTORTGQE56XXC6OVHQCSCUGABRMQZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTGUHTJTQ6EKEPDXFSKZKVLUJC4UAPBQ/
https://security.gentoo.org/glsa/202007-17

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for JHead

Fedora EPEL 7 update for jhead

Fedora 29 update for jhead

Fedora 30 update for jhead

Multiple vulnerabilities in www.sentex.net jhead