CVE-2020-36330

moderate-risk
Published 2021-05-21

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability.

Do I need to act?

-
0.16% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

Affected Products (7)

Libwebp

Affected Vendors

Debian Redhat Apple Netapp Webmproject

References (14)

Mailing List http://seclists.org/fulldisclosure/2021/Jul/54
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1956853
Mailing List https://lists.debian.org/debian-lts-announce/2021/06/msg00005.html
Mailing List https://lists.debian.org/debian-lts-announce/2021/06/msg00006.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20211104-0004/
Not Applicable https://support.apple.com/kb/HT212601
Third Party Advisory https://www.debian.org/security/2021/dsa-4930
Mailing List http://seclists.org/fulldisclosure/2021/Jul/54
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1956853
Mailing List https://lists.debian.org/debian-lts-announce/2021/06/msg00005.html
Mailing List https://lists.debian.org/debian-lts-announce/2021/06/msg00006.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20211104-0004/
Not Applicable https://support.apple.com/kb/HT212601
Third Party Advisory https://www.debian.org/security/2021/dsa-4930
46
/ 100
moderate-risk
Severity 31/34 · Critical
Exploitability 1/34 · Minimal
Exposure 14/34 · Moderate