CVE-2017-5501 Jasper Project CVE debrief

Who should care

Operators and developers using JasPer 1.900.17, especially in systems that process untrusted files or automated ingestion pipelines.

Technical summary

The NVD record identifies CWE-190 (integer overflow) in libjasper/jpc/jpc_tsfb.c and maps the affected CPE to jasper_project:jasper:1.900.17. The CVSS 3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating the vulnerable code path is triggered during file handling and can produce a high-availability impact without direct privilege requirements.

Defensive priority

Medium. Prioritize if JasPer is used to process externally supplied files or if repeated crashes would disrupt services.

Recommended defensive actions

• Inventory systems using JasPer 1.900.17 or bundled libjasper components.
• Update to a vendor-supported JasPer release that includes a fix, if available.
• Limit or sandbox processing of untrusted files that reach JasPer parsing paths.
• Apply crash monitoring and service restart controls to reduce downtime from malformed inputs.
• Treat any parser crash involving JasPer as a security signal and investigate the input source.

Evidence notes

The supplied NVD metadata states the vulnerable component is cpe:2.3:a:jasper_project:jasper:1.900.17 and assigns CVSS 3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H with CWE-190. The CVE description explicitly names an integer overflow in libjasper/jpc/jpc_tsfb.c and describes denial-of-service via a crafted file. A Gentoo advisory referenced by MITRE is tagged as an exploit/third-party advisory in the corpus, but the supplied material does not include exploit details.

Official resources