CVE-2018-21010

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-21010

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-21010.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2018-21010

Downstream

DLA-1950-1

SUSE-SU-2022:3801-1

SUSE-SU-2022:3802-1

SUSE-SU-2022:4082-1

UBUNTU-CVE-2018-21010

USN-4497-1

openSUSE-SU-2024:13571-1

Related

Published

2019-09-05T13:15:10Z

Modified

2025-09-16T06:55:12.431866Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OpenJPEG before 2.3.1 has a heap buffer overflow in colorapplyicc_profile in bin/common/color.c.

References

Affected packages

Alpine:v3.8 / openjpeg

Package

Name: openjpeg
Purl: pkg:apk/alpine/openjpeg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.0-r3

Affected versions

1.*

1.3-r0

1.3-r1

1.5.0-r1

1.5.0-r2

1.5.1-r0

1.5.1-r1

2.*

2.1.0-r0

2.1.0-r1

2.1.1-r0

2.1.1-r1

2.1.2-r0

2.1.2-r1

2.2.0-r0

2.2.0-r1

2.2.0-r2

2.2.0-r3

2.3.0-r0

2.3.0-r1

2.3.0-r2

Alpine:v3.9 / openjpeg

Package

Name: openjpeg
Purl: pkg:apk/alpine/openjpeg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.0-r4

Affected versions

1.*

1.3-r0

1.3-r1

1.5.0-r1

1.5.0-r2

1.5.1-r0

1.5.1-r1

2.*

2.1.0-r0

2.1.0-r1

2.1.1-r0

2.1.1-r1

2.1.2-r0

2.1.2-r1

2.2.0-r0

2.2.0-r1

2.2.0-r2

2.2.0-r3

2.3.0-r0

2.3.0-r1

2.3.0-r2

2.3.0-r3

Debian:11 / openjpeg2

Package

Name: openjpeg2
Purl: pkg:deb/debian/openjpeg2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / openjpeg2

Package

Name: openjpeg2
Purl: pkg:deb/debian/openjpeg2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / openjpeg2

Package

Name: openjpeg2
Purl: pkg:deb/debian/openjpeg2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / openjpeg2

Package

Name: openjpeg2
Purl: pkg:deb/debian/openjpeg2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/uclouvain/openjpeg

Affected ranges

Type: GIT
Repo: https://github.com/uclouvain/openjpeg
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2e5ab1d9987831c981ff05862e8ccf1381ed58ea

Affected versions

v2.*

v2.2.0

v2.3.0

Database specific

{
    "vanir_signatures": [
        {
            "signature_type": "Line",
            "id": "CVE-2018-21010-16e574a7",
            "source": "https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/bin/common/color.c"
            },
            "digest": {
                "line_hashes": [
                    "47772986423275944948129387740378959748",
                    "205748424800095807526570439468686203929",
                    "311212710083938358638417075780320992282",
                    "13845996517696402041291325485194756521",
                    "232034462384640403651731608255195773281",
                    "260035379454205935624654794521312315561",
                    "27759279588051978015740535400210265005",
                    "24887882373412726135602646506894525370",
                    "10796914929716296175201449165596947575",
                    "210927989779164417464137647003868472755",
                    "160776532049488125440815871690663048169",
                    "296789431730108481029949790463180491645",
                    "211630102750653992397075884111426201760",
                    "45072898588808494368736867557010706522",
                    "187357730233943923627195889501389262807",
                    "18114862465483823227445671054192736037",
                    "32977918220178411040624988570409498907",
                    "154346496108818336977911423640308731000",
                    "280905759675619092679285625124901276488",
                    "265498822902519309421227408500631555967",
                    "277080353820867427640166991470715053339",
                    "211630102750653992397075884111426201760",
                    "82026733997208869923982752454371346838",
                    "233974658630491624153646875549529329671",
                    "151172523150507511277390429814071198607",
                    "231252402362125044599127783695202301038",
                    "113308147506768385034458147111247690185",
                    "76146420620240622652158139798106522380",
                    "228630602540866455030758235740298016390",
                    "120750669731829277520980204948569330498",
                    "109451196913446605897293240902573639350",
                    "17407463850010632372209515990872031218",
                    "191951910983718499554776888884780843443",
                    "76954929910805505068933795025888937249",
                    "99618613372891725581721000891204504777",
                    "180620412410529278479013507171956707920",
                    "213435621004669630972044136455783277441",
                    "298320697987736938007771825131292495308",
                    "265495701817522015175446458566787246427",
                    "108016489492950703904379036496720397977",
                    "8677741571317082609543726576800599073",
                    "296789431730108481029949790463180491645",
                    "211630102750653992397075884111426201760",
                    "44497727351483186019103832198962477616",
                    "59120822791411335295321191655897392750",
                    "302064298161111932100911413517165003495",
                    "249450554219199452433629851869756072647",
                    "257660251622353207407650709361295596847",
                    "68384279721278417397411680451267629008",
                    "265498822902519309421227408500631555967",
                    "277080353820867427640166991470715053339",
                    "338490487351861577552554114094685004680",
                    "3761531053253518297421411850467532774",
                    "38296037108315816685757152490174175399",
                    "119925681653977753993684191719868672081",
                    "231252402362125044599127783695202301038",
                    "113308147506768385034458147111247690185",
                    "127735398500339678563617993092869890664",
                    "131283023038667967207233783990652932135",
                    "175770028656615546704640618258824141075",
                    "62279842121833707728953447108438360793",
                    "289100919150289420899954891348132595647",
                    "99378679856880236086246357496976517378"
                ],
                "threshold": 0.9
            }
        },
        {
            "signature_type": "Function",
            "id": "CVE-2018-21010-859200bb",
            "source": "https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "function": "color_apply_icc_profile",
                "file": "src/bin/common/color.c"
            },
            "digest": {
                "length": 7936.0,
                "function_hash": "206676380706185999110114411288142323234"
            }
        }
    ]
}