Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mOXBtLTRnOXAtNnZtM84AA2Rp
Bundled libwebp in pywebp vulnerable
Impact
pywebp versions before v0.3.0 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. The vulnerability was a heap buffer overflow which allowed a remote attacker to perform an out of bounds memory write.
Patches
The problem has been patched upstream in libwebp 1.3.2.
pywebp was updated to bundle a patched version of libwebp in v0.3.0.
Workarounds
No known workarounds without upgrading.
References
- https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863/
- https://nvd.nist.gov/vuln/detail/CVE-2023-4863
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mOXBtLTRnOXAtNnZtM84AA2Rp
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-f9pm-4g9p-6vm3
References:
- https://github.com/anibali/pywebp/security/advisories/GHSA-f9pm-4g9p-6vm3
- https://github.com/anibali/pywebp/commit/1f938731a158a6584977cec2cce21b21c15f6c4b
- https://github.com/advisories/GHSA-f9pm-4g9p-6vm3
Blast Radius: 12.9
Affected Packages
pypi:webp
Dependent packages: 5Dependent repositories: 29
Downloads: 26,000 last month
Affected Version Ranges: < 0.3.0
Fixed in: 0.3.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0
All unaffected versions: 0.3.0, 0.4.0