PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5503 Jasper Project CVE debrief

CVE-2017-5503 is a memory-corruption flaw in JasPer 1.900.27’s JPEG 2000 decoder path. A crafted image can trigger an invalid memory write in dec_clnpass, which can crash the process and may have other unspecified impact. NVD records the issue as CWE-787 and scores it CVSS 5.5 (medium). The corpus also includes an exploit-oriented advisory and downstream security notices, indicating the bug was publicly analyzed and tracked.

Vendor
Jasper Project
Product
CVE-2017-5503
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-01
Original CVE updated
2026-05-13
Advisory published
2017-03-01
Advisory updated
2026-05-13

Who should care

Teams that deploy JasPer 1.900.27 directly, or ship software that parses untrusted JPEG 2000 content through libjasper, should care most. This includes image-processing services, document workflows, desktop applications, and downstream Linux distributions or packages that bundle the affected library.

Technical summary

The vulnerable function is dec_clnpass in libjasper/jpc/jpc_t1dec.c. According to the CVE description, a crafted image can provoke an invalid memory write during decoding. NVD maps the issue to CWE-787 and lists the affected CPE as jasper_project:jasper 1.900.27. The official NVD vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, while the CVE description states the trigger is a crafted image from a remote attacker; that wording should be preserved as part of the public record rather than reconciled into a stronger claim.

Defensive priority

Medium. The impact is primarily denial of service through a crash, with NVD noting high availability impact but no confidentiality or integrity impact. Prioritize remediation if JasPer is exposed to untrusted images or embedded in higher-value processing services.

Recommended defensive actions

  • Inventory systems and applications that use JasPer or libjasper, especially version 1.900.27.
  • Apply vendor or downstream updates that remove or mitigate the vulnerable JasPer build.
  • Reduce exposure by restricting untrusted JPEG 2000 image ingestion where practical.
  • Treat crashes in image-decoding paths as security-relevant until patched, and monitor for repeated parser failures.
  • Use downstream advisories and package notices to confirm whether your distribution or application has remediated this issue.

Evidence notes

Primary evidence comes from the NVD CVE record and the CVE.org record. NVD states the affected product/version, CWE-787 classification, CVSS vector, and the vulnerable function context. The reference set includes an exploit-oriented Gentoo blog post, an oss-security mailing list thread, a SecurityFocus entry, and downstream openSUSE and Gentoo advisories, which support that the issue was publicly discussed and tracked. No claim here goes beyond the supplied corpus.

Official resources

Publicly disclosed and published by NVD on 2017-03-01. The source corpus includes later modified metadata updates, but the vulnerability date for this debrief is the CVE publication date, not any review or generation date.