Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01eDdtLTY3MzctMjZjcs4AA7Bg
SixLabors.ImageSharp vulnerable to data leakage
Impact
A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer.
Patches
The problem has been patched. All users are advised to upgrade to v3.1.4 or v2.1.8.
Workarounds
None
References
None
Permalink: https://github.com/advisories/GHSA-5x7m-6737-26crJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01eDdtLTY3MzctMjZjcs4AA7Bg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 18 days ago
Updated: 16 days ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-5x7m-6737-26cr, CVE-2024-32036
References:
- https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr
- https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68
- https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba
- https://nvd.nist.gov/vuln/detail/CVE-2024-32036
- https://github.com/advisories/GHSA-5x7m-6737-26cr
Blast Radius: 1.0
Affected Packages
nuget:SixLabors.ImageSharp
Dependent packages: 0Dependent repositories: 0
Downloads: 93,448,520 total
Affected Version Ranges: >= 3.0.0, < 3.1.4, < 2.1.8
Fixed in: 3.1.4, 2.1.8
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3
All unaffected versions: 2.1.8, 3.1.4