GHSA-f9pm-4g9p-6vm3

Suggest an improvement
Source
https://github.com/advisories/GHSA-f9pm-4g9p-6vm3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-f9pm-4g9p-6vm3/GHSA-f9pm-4g9p-6vm3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f9pm-4g9p-6vm3
Published
2023-10-06T16:59:22Z
Modified
2024-02-16T08:24:28.336704Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Bundled libwebp in pywebp vulnerable
Details

Impact

pywebp versions before v0.3.0 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. The vulnerability was a heap buffer overflow which allowed a remote attacker to perform an out of bounds memory write.

Patches

The problem has been patched upstream in libwebp 1.3.2. pywebp was updated to bundle a patched version of libwebp in v0.3.0.

Workarounds

No known workarounds without upgrading.

References

  • https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863/
  • https://nvd.nist.gov/vuln/detail/CVE-2023-4863
References

Affected packages

PyPI / webp

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.3.0

Affected versions

0.*

0.1.0a4
0.1.0a5
0.1.0a6
0.1.0a7
0.1.0a9
0.1.0a10
0.1.0a11
0.1.0a12
0.1.0a13
0.1.0a14
0.1.0a15
0.1.0a16
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.2.0