Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05NHZjLXA4dzctNXA0Oc4AA2QD
Bundled libwebp in imagecodecs vulnerable
imagecodecs versions before v2023.9.18 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). imagecodecs v2023.9.18 upgrades the bundled libwebp binary to v1.3.2.
Permalink: https://github.com/advisories/GHSA-94vc-p8w7-5p49JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05NHZjLXA4dzctNXA0Oc4AA2QD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
Identifiers: GHSA-94vc-p8w7-5p49
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-4863
- https://nvd.nist.gov/vuln/detail/CVE-2023-5129
- https://github.com/cgohlke/imagecodecs/blob/v2023.9.18/CHANGES.rst
- https://github.com/pypa/advisory-database/tree/main/vulns/imagecodecs/PYSEC-2023-174.yaml
- https://github.com/advisories/GHSA-94vc-p8w7-5p49
Blast Radius: 0.0
Affected Packages
pypi:imagecodecs
Dependent packages: 166Dependent repositories: 835
Downloads: 655,498 last month
Affected Version Ranges: < 2023.9.18
Fixed in: 2023.9.18
All affected versions: 2018.10.10, 2018.10.17, 2018.10.18, 2018.10.21, 2018.10.22, 2018.10.28, 2018.10.30, 2018.11.8, 2018.12.1, 2018.12.12, 2018.12.16, 2019.1.1, 2019.1.14, 2019.1.20, 2019.2.2, 2019.2.20, 2019.2.22, 2019.4.20, 2019.5.22, 2019.11.5, 2019.11.18, 2019.11.28, 2019.12.3, 2019.12.10, 2019.12.16, 2019.12.31, 2020.1.31, 2020.2.18, 2020.5.30, 2020.12.22, 2020.12.24, 2021.1.8, 2021.1.11, 2021.1.28, 2021.2.26, 2021.3.31, 2021.4.28, 2021.5.20, 2021.6.8, 2021.7.30, 2021.8.26, 2021.11.11, 2021.11.20, 2022.2.22, 2022.7.27, 2022.7.31, 2022.8.8, 2022.9.26, 2022.12.22, 2022.12.24, 2023.1.23, 2023.3.16, 2023.7.4, 2023.7.10, 2023.8.12, 2023.9.4
All unaffected versions: 2023.9.18, 2024.1.1, 2024.6.1, 2024.9.22