CVE-2011-4517
CVE-2011-4517 is a medium-severity vulnerability in Jasper Project Jasper with a CVSS 2.0 base score of 6.8. Its EPSS exploit-prediction score of 11% places it in the 95th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-787.
Key facts
- Severity: Medium (CVSS 2.0 base score 6.8)
- EPSS exploit prediction: 11% (95th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-787
- Affected product: Jasper Project Jasper
- Published:
- Last modified:
Description
The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 uses an incorrect data type during a certain size calculation, which allows remote attackers to trigger a heap-based buffer overflow and execute arbitrary code, or cause a denial of service (heap memory corruption), via a crafted component registration (CRG) marker segment in a JPEG2000 file.
Frequently asked questions
- What is CVE-2011-4517?
- The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 uses an incorrect data type during a certain size calculation, which allows remote attackers to trigger a heap-based buffer overflow and execute arbitrary code, or cause a denial of service (heap memory corruption), via a crafted component registration (CRG) marker segment in a JPEG2000 file.
- How severe is CVE-2011-4517?
- CVE-2011-4517 has a CVSS 2.0 base score of 6.8, rated medium severity.
- Is CVE-2011-4517 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 11% (95th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2011-4517?
- CVE-2011-4517 primarily affects Jasper Project Jasper. In total, 15 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2011-4517?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2011-4517 published?
- CVE-2011-4517 was published on 2011-12-15 and last updated on 2026-06-16.
References
- http://lists.fedoraproject.org/pipermail/package-announce/2011-December/071458.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-January/071561.html
- http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00010.html
- http://osvdb.org/77596
- http://rhn.redhat.com/errata/RHSA-2015-0698.html
- http://secunia.com/advisories/47193
- http://secunia.com/advisories/47306
- http://secunia.com/advisories/47353
- http://www-01.ibm.com/support/docview.wss?uid=swg21660640
- http://www.debian.org/security/2011/dsa-2371
- http://www.kb.cert.org/vuls/id/887409
- http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
- http://www.redhat.com/support/errata/RHSA-2011-1807.html
- http://www.redhat.com/support/errata/RHSA-2011-1811.html
- http://www.securityfocus.com/bid/50992
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.538606
- http://www.ubuntu.com/usn/USN-1315-1
- https://bugzilla.redhat.com/show_bug.cgi?id=747726
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71701
Affected products (15)
- cpe:2.3:a:jasper_project:jasper:1.900.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:outside_in_technology:8.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:outside_in_technology:8.3.7:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:15:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:16:*:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_desktop:11:sp1:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp1:*:*:*:-:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp1:*:*:*:vmware:*:*
- cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp1:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:4:*:*:*:*:*:*:*
More vulnerabilities in Jasper Project Jasper
- CVE-2008-3522 — Critical (CVSS 10.0): Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow…
- CVE-2008-3520 — Critical (CVSS 9.3): Multiple integer overflows in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via a…
- CVE-2015-8751 — High (CVSS 8.8): Integer overflow in the jas_matrix_create function in JasPer allows context-dependent attackers to have unspecified…
- CVE-2018-19541 — High (CVSS 8.8): An issue was discovered in JasPer 1.900.8, 1.900.9, 1.900.10, 1.900.11, 1.900.12, 1.900.13, 1.900.14, 1.900.15,…
- CVE-2018-19540 — High (CVSS 8.8): An issue was discovered in JasPer 1.900.8, 1.900.9, 1.900.10, 1.900.11, 1.900.12, 1.900.13, 1.900.14, 1.900.15,…
- CVE-2023-51257 — High (CVSS 7.8): An invalid memory write issue in Jasper-Software Jasper v.4.1.1 and before allows a local attacker to execute arbitrary…
All CVEs affecting Jasper Project Jasper →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…