CVE-2020-26208

EUVD-2020-18833
JHEAD is a simple command line tool for displaying and some manipulation of EXIF header data embedded in Jpeg images from digital cameras. In affected versions there is a heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections. Crafted jpeg images can be provided to the user resulting in a program crash or potentially incorrect exif information retrieval. Users are advised to upgrade. There is no known workaround for this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
GitHub_MCNA
5.3 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
Affected Products (NVD)
VendorProductVersion
jhead_projectjhead
𝑥
< 3.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jhead
bookworm
1:3.06.0.1-6
fixed
bullseye
1:3.04-6+deb11u1
fixed
bullseye (security)
1:3.04-6+deb11u1
fixed
sid
1:3.08-2
fixed
trixie
1:3.08-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jhead
bionic
Fixed 1:3.00-8~ubuntu0.1
released
focal
Fixed 1:3.04-1ubuntu0.1
released
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
trusty
Fixed 1:2.97-1+deb8u2ubuntu0.1~esm1
released
xenial
Fixed 1:3.00-4+deb9u1ubuntu0.1~esm1
released
Common Weakness Enumeration
References
https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1900821
https://github.com/F-ZhaoYang/jhead/commit/5186ddcf9e35a7aa0ff0539489a930434a1325f4
https://github.com/F-ZhaoYang/jhead/security/advisories/GHSA-7pr6-xq4f-qhgc
https://github.com/Matthias-Wandel/jhead/issues/7
https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1900821
https://github.com/F-ZhaoYang/jhead/commit/5186ddcf9e35a7aa0ff0539489a930434a1325f4
https://github.com/F-ZhaoYang/jhead/security/advisories/GHSA-7pr6-xq4f-qhgc
https://github.com/Matthias-Wandel/jhead/issues/7