PatchSiren cyber security CVE debrief
CVE-2017-5500 Jasper Project CVE debrief
CVE-2017-5500 is a denial-of-service issue in JasPer 1.900.17, specifically in libjasper/jpc/jpc_dec.c. The record says crafted input can trigger a crash through a left shift of a negative value. NVD rates the issue as medium severity with availability impact only, making this primarily a service-stability problem rather than a confidentiality or integrity issue.
- Vendor
- Jasper Project
- Product
- CVE-2017-5500
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-01
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-01
- Advisory updated
- 2026-05-13
Who should care
Security and platform teams running JasPer 1.900.17 in image decoding, conversion, or document-processing workflows that accept untrusted input. This also matters for packaged or embedded software that bundles libjasper and may inherit the vulnerable decoder.
Technical summary
The vulnerable component is libjasper/jpc/jpc_dec.c in JasPer 1.900.17. The failure mode is an invalid left shift of a negative value during decoding, which can crash the process. The supplied record contains a notable inconsistency: the narrative describes remote attackers causing a crash, while NVD’s CVSS vector records AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. That mismatch should be preserved during triage and checked against the original upstream advisory or affected deployment path before making exposure assumptions.
Defensive priority
Medium. Prioritize remediation on any system still processing untrusted JPEG-2000 content with JasPer 1.900.17, especially where a decoder crash would interrupt a critical service.
Recommended defensive actions
- Inventory systems and packages that use JasPer 1.900.17 or a bundled libjasper copy.
- Apply a vendor-fixed package or upgrade to a patched JasPer release as soon as one is available in your distribution or build chain.
- If immediate patching is not possible, limit exposure by reducing untrusted JPEG-2000 input paths and isolating decoder workloads.
- Add crash monitoring and service restart controls for any process that depends on JasPer decoding.
- After remediation, retest affected workflows to confirm the vulnerable decoder path is no longer present.
Evidence notes
CVE publishedAt is 2017-03-01T15:59:00.713Z, and the source record was last modified on 2026-05-13T00:24:29.033Z. The NVD record marks cpe:2.3:a:jasper_project:jasper:1.900.17 as vulnerable. The source references include a Gentoo blog post about multiple Jasper crashes with UBSan and a SecurityFocus BID entry. The supplied record also shows a tension between the narrative description ('remote attackers') and the NVD CVSS vector (AV:L/UI:R), so this debrief avoids overcommitting on the exact attack path beyond the provided data.
Official resources
-
CVE-2017-5500 CVE record
CVE.org
-
CVE-2017-5500 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Published on 2017-03-01. The source corpus also references a Gentoo advisory dated 2017-01-16, which predates the CVE publication date.