Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02NXg3LWMyNzItN2c3cs4AA5xd
Use After Free in SixLabors.ImageSharp
Impact
A heap-use-after-free flaw was found in ImageSharp's InitializeImage() function of PngDecoderCore.cs file. This vulnerability is triggered when an attacker passes a specially crafted PNG image file to ImageSharp for conversion, potentially leading to information disclosure.
Patches
The problem has been patched. All users are advised to upgrade to v3.1.3 or v2.1.7.
Workarounds
None
References
None
Permalink: https://github.com/advisories/GHSA-65x7-c272-7g7rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NXg3LWMyNzItN2c3cs4AA5xd
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 months ago
Updated: about 2 months ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Identifiers: GHSA-65x7-c272-7g7r, CVE-2024-27929
References:
- https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-65x7-c272-7g7r
- https://nvd.nist.gov/vuln/detail/CVE-2024-27929
- https://github.com/SixLabors/ImageSharp/pull/2688
- https://github.com/advisories/GHSA-65x7-c272-7g7r
Blast Radius: 1.0
Affected Packages
nuget:SixLabors.ImageSharp
Dependent packages: 0Dependent repositories: 0
Downloads: 93,448,520 total
Affected Version Ranges: < 2.1.7, >= 3.0.0, < 3.1.3
Fixed in: 2.1.7, 3.1.3
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2
All unaffected versions: 2.1.7, 2.1.8, 3.1.3, 3.1.4