GHSA-63p8-c4ww-9cg7

Source

https://github.com/advisories/GHSA-63p8-c4ww-9cg7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-63p8-c4ww-9cg7/GHSA-63p8-c4ww-9cg7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-63p8-c4ww-9cg7

Aliases

CVE-2024-41131

Published

2024-07-22T17:42:07Z

Modified

2024-07-22T17:58:12.642382Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

SixLabors ImageSharp Out-of-bounds Write

Details

Impact

An Out-of-bounds Write vulnerability has been found in the ImageSharp gif decoder, allowing attackers to cause a crash using a specially crafted gif. This can potentially lead to denial of service.

Patches

The problem has been patched. All users are advised to upgrade to v3.1.5 or v2.1.9.

Workarounds

None.

References

https://github.com/SixLabors/ImageSharp/pull/2754 https://github.com/SixLabors/ImageSharp/pull/2756

Database specific

{
    "nvd_published_at": "2024-07-22T15:15:03Z",
    "cwe_ids": [
        "CWE-787"
    ],
    "github_reviewed_at": "2024-07-22T17:42:07Z",
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

NuGet / SixLabors.ImageSharp

Package

Name: SixLabors.ImageSharp; View open source insights on deps.dev
Purl: pkg:nuget/SixLabors.ImageSharp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.9

Affected versions

1.*

1.0.0-beta0001

1.0.0-beta0002

1.0.0-beta0003

1.0.0-beta0004

1.0.0-beta0005

1.0.0-beta0006

1.0.0-beta0007

1.0.0-rc0001

1.0.0-rc0002

1.0.0-rc0003

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

2.*

2.0.0

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

NuGet / SixLabors.ImageSharp

Package

Name: SixLabors.ImageSharp; View open source insights on deps.dev
Purl: pkg:nuget/SixLabors.ImageSharp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.1.5

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4