Miggo Logo

CVE-2018-5268: Out-of-bounds Write in OpenCV.

5.5

CVSS Score
3.0

Basic Information

EPSS Score
0.54575%
Published
10/12/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
opencv-pythonpip<= 3.3.1.113.4.1.15
opencv-contrib-pythonpip<= 3.3.1.113.4.1.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The CVE description explicitly names cv::Jpeg2KDecoder::readComponent8u as the vulnerable function. The GitHub issue (#10541) shows an ASAN trace pointing to line 343 of grfmt_jpeg2000.cpp during the overflow. The patch (435a3e3) adds validation checks (CV_Assert) for component parameters like xstart=0, ystart=0, step=1, and data type consistency - all of which were missing in the original code. These missing checks allowed out-of-bounds writes when processing malformed images.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Op*n*V *.*.* (*orr*spon*in* wit* Op*n*V-Pyt*on *.*.*.**), * ***p-**s** *u***r ov*r*low **pp*ns in *v::Jp***K***o**r::r****ompon*nt*u in mo*ul*s/im**o***s/sr*/*r*mt_jp******.*pp w**n p*rsin* * *r**t** im*** *il*.

Reasoning

T** *V* **s*ription *xpli*itly n*m*s *v::Jp***K***o**r::r****ompon*nt*u *s t** vuln*r**l* *un*tion. T** *it*u* issu* (#*****) s*ows *n *S*N tr*** pointin* to lin* *** o* *r*mt_jp******.*pp *urin* t** ov*r*low. T** p*t** (*******) ***s v*li**tion ****