QGISfinal-3_32_0: 1 vulnerabilities (highest severity is: 8.8) - autoclosed

[mend-for-github-com[bot]]

Vulnerable Library - QGISfinal-3_32_0

QGIS is a free, open source, cross platform (lin/win/mac) geographical information system (GIS)

Library home page: https://github.com/qgis/QGIS.git

Vulnerable Source Files (1)

/external/libdxfrw/intern/dwgreader18.h

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (QGISfinal version)	Remediation Available
CVE-2021-21898	High	8.8	QGISfinal-3_32_0	Direct	No_FIX	❌

Details

CVE-2021-21898

### Vulnerable Library - QGISfinal-3_32_0

QGIS is a free, open source, cross platform (lin/win/mac) geographical information system (GIS)

Library home page: https://github.com/qgis/QGIS.git

Found in base branch: master

### Vulnerable Source Files (1)

/external/libdxfrw/intern/dwgreader18.h

### Vulnerability Details

A code execution vulnerability exists in the dwgCompressor::decompress18() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dwg file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.

Publish Date: 2021-11-19

URL: CVE-2021-21898

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21898

Release Date: 2021-11-19

Fix Resolution: No_FIX

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.