Login Sign Up

CVE-2020-27823

7.8 HIGH
Denial of Service

📋 TL;DR

This vulnerability in OpenJPEG's encoder allows attackers to pass specially crafted x,y offset input during encoding, potentially leading to memory corruption. It affects systems using vulnerable versions of OpenJPEG for image processing. The flaw can compromise confidentiality, integrity, and system availability.

💻 Affected Systems

Products:
  • OpenJPEG
Versions: Versions before 2.4.0
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any application using OpenJPEG library for JPEG2000 image encoding.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Openjpeg by Uclouvain

View all CVEs affecting Openjpeg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption allowing information disclosure.

🟢

If Mitigated

Application crash with no data loss if proper sandboxing and privilege separation are implemented.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious JPEG2000 images and triggering encoding.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenJPEG 2.4.0 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1905762

Restart Required: Yes

Instructions:

1. Update OpenJPEG to version 2.4.0 or later. 2. Restart affected services. 3. Rebuild applications linked against OpenJPEG.

🔧 Temporary Workarounds

Disable JPEG2000 processing

all

Prevent processing of JPEG2000 images in affected applications.

# Application-specific configuration required

🧯 If You Can't Patch

  • Implement strict input validation for image files
  • Run OpenJPEG in sandboxed/containerized environment with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check OpenJPEG version: opj_decompress -v 2>&1 | grep version

Check Version:

opj_decompress -v 2>&1 | grep version

Verify Fix Applied:

Confirm version is 2.4.0 or later: opj_decompress -v 2>&1 | grep -E 'version.*2\.4|version.*2\.[5-9]|version.*[3-9]'

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with OpenJPEG error messages
  • Segmentation faults in image processing services

Network Indicators:

  • Unusual JPEG2000 file uploads to web applications
  • Image processing API calls with malformed parameters

SIEM Query:

source="application.log" AND ("OpenJPEG" OR "JPEG2000") AND ("crash" OR "segfault" OR "memory corruption")

📊 Metadata

CVE ID: CVE-2020-27823
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: May 13, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27823, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)