GHSA-f9pm-4g9p-6vm3

Опубликовано: 06 окт. 2023

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

Bundled libwebp in pywebp vulnerable

Impact

pywebp versions before v0.3.0 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. The vulnerability was a heap buffer overflow which allowed a remote attacker to perform an out of bounds memory write.

Patches

The problem has been patched upstream in libwebp 1.3.2. pywebp was updated to bundle a patched version of libwebp in v0.3.0.

Workarounds

No known workarounds without upgrading.

References

https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863/
https://nvd.nist.gov/vuln/detail/CVE-2023-4863

Ссылки

https://github.com/anibali/pywebp/security/advisories/GHSA-f9pm-4g9p-6vm3
https://github.com/anibali/pywebp/commit/1f938731a158a6584977cec2cce21b21c15f6c4b

Пакеты

Наименование

webp

pip

Затронутые версииВерсия исправления

< 0.3.0

0.3.0

8.8 High

CVSS3

8.8 High

CVSS3