Open mend-for-github-com[bot] opened 1 year ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Vulnerable Library - ijgjpeg-7
Reference repository for The Independent JPEG Group's JPEG software, with the TurboJPEG API bolted on (for benchmarking purposes)
Library home page: https://github.com/libjpeg-turbo/ijg.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Vulnerable Source Files (3)
/release/src/router/jpeg/rdtarga.c /release/src/router/jpeg/rdtarga.c /release/src/router/jpeg/rdtarga.c
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2018-11813
### Vulnerable Library - ijgjpeg-7Reference repository for The Independent JPEG Group's JPEG software, with the TurboJPEG API bolted on (for benchmarking purposes)
Library home page: https://github.com/libjpeg-turbo/ijg.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/jpeg/rdtarga.c /release/src/router/jpeg/rdtarga.c /release/src/router/jpeg/rdtarga.c
### Vulnerability Detailslibjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.
Publish Date: 2018-06-06
URL: CVE-2018-11813
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-06-06
Fix Resolution: 2.0.0
CVE-2020-14152
### Vulnerable Library - ijgjpeg-7Reference repository for The Independent JPEG Group's JPEG software, with the TurboJPEG API bolted on (for benchmarking purposes)
Library home page: https://github.com/libjpeg-turbo/ijg.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/jpeg/jmemnobs.c /release/src/router/jpeg/jmemnobs.c /release/src/router/jpeg/jmemnobs.c
### Vulnerability DetailsIn IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption.
Publish Date: 2020-06-15
URL: CVE-2020-14152
### CVSS 3 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14152
Release Date: 2020-06-15
Fix Resolution: jpeg-9d
WS-2021-0185
### Vulnerable Library - ijgjpeg-7Reference repository for The Independent JPEG Group's JPEG software, with the TurboJPEG API bolted on (for benchmarking purposes)
Library home page: https://github.com/libjpeg-turbo/ijg.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/jpeg/rdppm.c /release/src/router/jpeg/rdppm.c /release/src/router/jpeg/rdppm.c
### Vulnerability Detailslibjpeg-turbo before 2.1.0 is vulnerable to heap-buffer-overflow in get_word_rgb_row, related to rdppm.c.
Publish Date: 2021-04-06
URL: WS-2021-0185
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://osv.dev/vulnerability/OSV-2021-609
Release Date: 2021-04-06
Fix Resolution: 2.1.0
CVE-2017-15232
### Vulnerable Libraries - ijgjpeg-7, ijgjpeg-7, ijgjpeg-7, ijgjpeg-7, ijgjpeg-7, ijgjpeg-7, ijgjpeg-7, ijgjpeg-7libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file.
Publish Date: 2017-10-11
URL: CVE-2017-15232
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15232
Release Date: 2017-10-11
Fix Resolution: 1.5.3
CVE-2018-14498
### Vulnerable Library - ijgjpeg-7Reference repository for The Independent JPEG Group's JPEG software, with the TurboJPEG API bolted on (for benchmarking purposes)
Library home page: https://github.com/libjpeg-turbo/ijg.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/jpeg/rdbmp.c /release/src/router/jpeg/rdbmp.c /release/src/router/jpeg/rdbmp.c
### Vulnerability Detailsget_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.
Publish Date: 2019-03-07
URL: CVE-2018-14498
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14498
Release Date: 2019-03-07
Fix Resolution: 2.0.0
CVE-2012-2806
### Vulnerable Library - ijgjpeg-7Reference repository for The Independent JPEG Group's JPEG software, with the TurboJPEG API bolted on (for benchmarking purposes)
Library home page: https://github.com/libjpeg-turbo/ijg.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/jpeg/jdmarker.c /release/src/router/jpeg/jdmarker.c /release/src/router/jpeg/jdmarker.c
### Vulnerability DetailsHeap-based buffer overflow in the get_sos function in jdmarker.c in libjpeg-turbo 1.2.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large component count in the header of a JPEG image.
Publish Date: 2012-08-13
URL: CVE-2012-2806
### CVSS 3 Score Details (5.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://security.gentoo.org/glsa/glsa-201209-13.xml
Release Date: 2012-09-26
Fix Resolution: All libjpeg-turbo users should upgrade to the latest version >= libjpeg-turbo-1.2.1
CVE-2020-35538
### Vulnerable Library - ijgjpeg-7Reference repository for The Independent JPEG Group's JPEG software, with the TurboJPEG API bolted on (for benchmarking purposes)
Library home page: https://github.com/libjpeg-turbo/ijg.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/jpeg/jdapistd.c /release/src/router/jpeg/jdapistd.c /release/src/router/jpeg/jdapistd.c
### Vulnerability DetailsA crafted input file could cause a null pointer dereference in jcopy_sample_rows() when processed by libjpeg-turbo.
Publish Date: 2022-08-31
URL: CVE-2020-35538
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35538
Release Date: 2022-08-31
Fix Resolution: 2.0.6
CVE-2021-46822
### Vulnerable Library - ijgjpeg-7Reference repository for The Independent JPEG Group's JPEG software, with the TurboJPEG API bolted on (for benchmarking purposes)
Library home page: https://github.com/libjpeg-turbo/ijg.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/jpeg/rdppm.c /release/src/router/jpeg/rdppm.c /release/src/router/jpeg/rdppm.c
### Vulnerability DetailsThe PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.
Publish Date: 2022-06-18
URL: CVE-2021-46822
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46822
Release Date: 2022-06-18
Fix Resolution: 2.1.0
CVE-2013-6630
### Vulnerable Library - ijgjpeg-7Reference repository for The Independent JPEG Group's JPEG software, with the TurboJPEG API bolted on (for benchmarking purposes)
Library home page: https://github.com/libjpeg-turbo/ijg.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)/release/src/router/jpeg/jdmarker.c /release/src/router/jpeg/jdmarker.c /release/src/router/jpeg/jdmarker.c
### Vulnerability DetailsThe get_dht function in jdmarker.c in libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48 and other products, does not set all elements of a certain Huffman value array during the reading of segments that follow Define Huffman Table (DHT) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.
Publish Date: 2013-11-19
URL: CVE-2013-6630
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2013-11-19
Fix Resolution: 1.3.1
CVE-2013-6629
### Vulnerable Library - ijgjpeg-7Reference repository for The Independent JPEG Group's JPEG software, with the TurboJPEG API bolted on (for benchmarking purposes)
Library home page: https://github.com/libjpeg-turbo/ijg.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (2)/release/src/router/jpeg/jdmarker.c /release/src/router/jpeg/jdmarker.c
### Vulnerability DetailsThe get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image.
Publish Date: 2013-11-19
URL: CVE-2013-6629
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629
Release Date: 2013-11-19
Fix Resolution: 1.3.90