search

tharun453 / samples

Sample code referenced by the .NET documentation
https://docs.microsoft.com/samples/browse
Creative Commons Attribution 4.0 International
0 stars 0 forks source link

CVE-2024-41131 (High) detected in sixlabors.imagesharp.1.0.2.nupkg, reportgenerator.4.8.13.nupkg #114

Open mend-bolt-for-github[bot] opened 3 months ago

mend-bolt-for-github[bot] commented 3 months ago

CVE-2024-41131 - High Severity Vulnerability

Vulnerable Libraries - sixlabors.imagesharp.1.0.2.nupkg, reportgenerator.4.8.13.nupkg

sixlabors.imagesharp.1.0.2.nupkg

A cross-platform library for the processing of image files; written in C#

Library home page: https://api.nuget.org/packages/sixlabors.imagesharp.1.0.2.nupkg

Path to dependency file: /iot/cheesecave.net/cheesecave.net.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/sixlabors.imagesharp/1.0.2/sixlabors.imagesharp.1.0.2.nupkg

Dependency Hierarchy: - iot.device.bindings.1.5.0.nupkg (Root Library) - :x: **sixlabors.imagesharp.1.0.2.nupkg** (Vulnerable Library)

reportgenerator.4.8.13.nupkg

ReportGenerator converts coverage reports generated by coverlet, OpenCover, dotCover, Visual Studio,...

Library home page: https://api.nuget.org/packages/reportgenerator.4.8.13.nupkg

Path to dependency file: /csharp/unit-testing-code-coverage/XUnit.Coverlet.Collector/XUnit.Coverlet.Collector.csproj

Path to vulnerable library: /nuget/packages/reportgenerator/4.8.13/reportgenerator.4.8.13.nupkg

Dependency Hierarchy: - :x: **reportgenerator.4.8.13.nupkg** (Vulnerable Library)

Found in HEAD commit: 0d7f1931b9759c22f0469b959114a5d94f8f92e4

Found in base branch: main

Vulnerability Details

ImageSharp is a 2D graphics API. An Out-of-bounds Write vulnerability has been found in the ImageSharp gif decoder, allowing attackers to cause a crash using a specially crafted gif. This can potentially lead to denial of service. All users are advised to upgrade to v3.1.5 or v2.1.9.

Publish Date: 2024-07-22

URL: CVE-2024-41131

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-63p8-c4ww-9cg7

Release Date: 2024-07-22

Fix Resolution: SixLabors.ImageSharp - 2.1.9,3.1.5

Step up your Open Source Security Game with Mend here