GHSA-w2pj-9cgh-mq2c

Source

https://github.com/advisories/GHSA-w2pj-9cgh-mq2c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-w2pj-9cgh-mq2c/GHSA-w2pj-9cgh-mq2c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w2pj-9cgh-mq2c

Published

2024-08-30T23:37:14Z

Modified

2024-12-01T05:23:01.132428Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

opencv-contrib-python-headless bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863

Details

opencv-contrib-python-headless versions before v4.8.1.78 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. opencv-contrib-python-headless v4.8.1.78 upgrades the bundled libwebp binary to v1.3.2.

Database specific

{
    "github_reviewed_at": "2024-08-30T23:37:14Z",
    "cwe_ids": [
        "CWE-787"
    ],
    "nvd_published_at": null,
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

PyPI / opencv-contrib-python-headless

Package

Name: opencv-contrib-python-headless; View open source insights on deps.dev
Purl: pkg:pypi/opencv-contrib-python-headless

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.8.1.78

Affected versions

3.*

3.4.0.14

3.4.1.15

3.4.2.17

3.4.3.18

3.4.4.19

3.4.5.20

3.4.6.27

3.4.7.28

3.4.8.29

3.4.9.33

3.4.10.37

3.4.11.39

3.4.11.41

3.4.11.43

3.4.11.45

3.4.13.47

3.4.14.51

3.4.14.53

3.4.15.55

3.4.16.57

3.4.16.59

3.4.17.61

3.4.17.63

3.4.18.65

4.*

4.0.0.21

4.0.1.23

4.0.1.24

4.1.0.25

4.1.1.26

4.1.2.30

4.2.0.32

4.2.0.34

4.3.0.36

4.3.0.38

4.4.0.40

4.4.0.42

4.4.0.44

4.4.0.46

4.5.1.48

4.5.2.52

4.5.2.54

4.5.3.56

4.5.4.58

4.5.4.60

4.5.5.62

4.5.5.64

4.6.0.66

4.7.0.68

4.7.0.72

4.8.0.74

4.8.0.76