CVE-2020-36328

Summary

CVE	CVE-2020-36328
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-05-21 17:15:00 UTC
Updated	2023-01-09 16:41:00 UTC
Description	A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Risk And Classification

Problem Types: CWE-787

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Apple	Ipados	14.7	All	All	All
Operating System	Apple	Ipad Os	14.7	All	All	All
Operating System	Apple	Iphone Os	14.7	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Netapp	Ontap Select Deploy Administration Utility	-	All	All	All
Operating System	Redhat	Enterprise Linux	7.0	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Application	Webmproject	Libwebp	All	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] [DLA 2672-1] libwebp security update	MLIST	lists.debian.org
May 2021 Libwebp Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
[SECURITY] [DLA 2677-1] libwebp security update	MLIST	lists.debian.org
1956829 – (CVE-2020-36328) CVE-2020-36328 libwebp: heap-based buffer overflow in WebPDecode*Into functions	MISC	bugzilla.redhat.com
About the security content of iOS 14.7 and iPadOS 14.7 - Apple Support	CONFIRM	support.apple.com
Debian -- Security Information -- DSA-4930-1 libwebp	DEBIAN	www.debian.org
Full Disclosure: APPLE-SA-2021-07-21-1 iOS 14.7 and iPadOS 14.7	FULLDISC	seclists.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159246 Oracle Enterprise Linux Security Update for libwebp (ELSA-2021-2260)
159254 Oracle Enterprise Linux Security Update for qt5-qtimageformats (ELSA-2021-2328)
159262 Oracle Enterprise Linux Security Update for libwebp (ELSA-2021-2354)
178659 Debian Security Update for libwebp (DLA 2672-1)
178660 Debian Security Update for libwebp (DLA 2677-1)
178670 Debian Security Update for libwebp (DSA 4930-1)
198390 Ubuntu Security Notification for libwebp vulnerabilities (USN-4971-1)
239386 Red Hat Update for libwebp (RHSA-2021:2365)
239387 Red Hat Update for libwebp (RHSA-2021:2364)
239393 Red Hat Update for libwebp (RHSA-2021:2354)
239399 Red Hat Update for qt5-qtimageformats (RHSA-2021:2328)
239418 Red Hat Update for libwebp (RHSA-2021:2260)
257091 CentOS Security Update for qt5-qtimageformats Security Update (CESA-2021:2328)
352460 Amazon Linux Security Advisory for libwebp: ALAS2-2021-1676
352464 Amazon Linux Security Advisory for qt5-qtimageformats: ALAS2-2021-1679
352805 Amazon Linux Security Advisory for libwebp: ALAS-2021-1530
376929 Alibaba Cloud Linux Security Update for libwebp (ALINUX3-SA-2021:0038)
377060 Alibaba Cloud Linux Security Update for qt5-qtimageformats (ALINUX2-SA-2021:0037)
377214 Alibaba Cloud Linux Security Update for libwebp (ALINUX2-SA-2021:0032)
610349 Apple iOS 14.7 and iPadOS 14.7 Security Update Missing
670580 EulerOS Security Update for libwebp (EulerOS-SA-2021-2338)
670645 EulerOS Security Update for libwebp (EulerOS-SA-2021-2403)
671012 EulerOS Security Update for libwebp (EulerOS-SA-2021-2594)
750108 SUSE Enterprise Linux Security Update for libwebp (SUSE-SU-2021:1860-1)
750807 OpenSUSE Security Update for libwebp (openSUSE-SU-2021:1860-1)
900015 CBL-Mariner Linux Security Update for libwebp 1.0.0
902863 Common Base Linux Mariner (CBL-Mariner) Security Update for libwebp (4212)
940142 AlmaLinux Security Update for libwebp (ALSA-2021:2354)
960059 Rocky Linux Security Update for libwebp (RLSA-2021:2354)