You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Introduction:
This is a request to address a vulnerability in the sharp package, specifically related to a Heap-based Buffer Overflow. This vulnerability is identified with a CVSS score of 9.6 (Critical Severity) by Snyk and 8.8 (High Severity) by NVD.
Details:
The vulnerability is introduced through @tryghost/mg-fs-utils@0.12.13 and affects versions of sharp prior to 0.32.6.
Exploit Maturity:
The exploit maturity is identified as Mature.
Overview:
sharp is a High performance Node.js image processing, the fastest module to resize JPEG, PNG, WebP, GIF, AVIF, and TIFF images.
Vulnerability Description:
Affected versions of this package are vulnerable to a Heap-based Buffer Overflow when the ReadHuffmanCodes() function is used. An attacker can exploit this vulnerability by crafting a special WebP lossless file that triggers the ReadHuffmanCodes() function, leading to a heap-based buffer overflow. This vulnerability can potentially allow arbitrary code execution.
Remediation:
Upgrade to version 0.32.6 or later of sharp to fix this vulnerability. Additionally, upgrade @tryghost/mg-fs-utils to versions 0.12.18 or 0.12.14 as indicated for the respective paths.
Proposed Changes:
Create an issue in the project repository to track the resolution of this vulnerability. This issue should outline the steps needed to mitigate the vulnerability, including upgrading sharp and @tryghost/mg-fs-utils to the recommended versions.
Changelog:
2023-09-12: Initial advisory publication
2023-09-27: Advisory details updated, including CVSS, references
2023-09-27: CVE-2023-5129 rejected as a duplicate of CVE-2023-4863
2023-09-28: Research and addition of additional affected libraries
2024-01-28: Additional fix information
The text was updated successfully, but these errors were encountered:
Introduction:
This is a request to address a vulnerability in the sharp package, specifically related to a Heap-based Buffer Overflow. This vulnerability is identified with a CVSS score of 9.6 (Critical Severity) by Snyk and 8.8 (High Severity) by NVD.
Details:
The vulnerability is introduced through @tryghost/mg-fs-utils@0.12.13 and affects versions of sharp prior to 0.32.6.
Exploit Maturity:
The exploit maturity is identified as Mature.
Detailed Paths and Remediation:
Security Information:
Overview:
sharp is a High performance Node.js image processing, the fastest module to resize JPEG, PNG, WebP, GIF, AVIF, and TIFF images.
Vulnerability Description:
Affected versions of this package are vulnerable to a Heap-based Buffer Overflow when the ReadHuffmanCodes() function is used. An attacker can exploit this vulnerability by crafting a special WebP lossless file that triggers the ReadHuffmanCodes() function, leading to a heap-based buffer overflow. This vulnerability can potentially allow arbitrary code execution.
Remediation:
Upgrade to version 0.32.6 or later of sharp to fix this vulnerability. Additionally, upgrade @tryghost/mg-fs-utils to versions 0.12.18 or 0.12.14 as indicated for the respective paths.
Proposed Changes:
Create an issue in the project repository to track the resolution of this vulnerability. This issue should outline the steps needed to mitigate the vulnerability, including upgrading sharp and @tryghost/mg-fs-utils to the recommended versions.
Changelog:
The text was updated successfully, but these errors were encountered: