CVE-2020-20739

Type:

Unavailable / Other

Severity:

Medium

Publication date:

11/20/2020

Last modified:

12/08/2020

Description

im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips before 8.8.2 has an uninitialized variable which may cause the leakage of remote server path or stack address.

Impact

Access Vector: Through network

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: No impact on system integrity + Partially affects on system confidentiality + No impact on system availability

Vulnerable software and versions

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:a:libvips_project:libvips:*:*:*:*:*:*:*:*

To consult the complete list of products and versions see this page

References to Advisories, Solutions, and Tools

https://github.com/libvips/libvips/commit/2ab5aa7bf515135c2b02d42e9a72e4c98e17031a (Source: MISC)
https://github.com/libvips/libvips/issues/1419 (Source: MISC)
[debian-lts-announce] 20201130 [SECURITY] [DLA 2473-1] vips security update (Source: MLIST)
FEDORA-2020-d82261f7b1 (Source: FEDORA)

Explanation of fields

Corporate access

CVE-2020-20739