CVE-2024-32036 (Medium) detected in sixlabors.imagesharp.2.1.7.nupkg

[mend-bolt-for-github[bot]]

CVE-2024-32036 - Medium Severity Vulnerability

Vulnerable Library - sixlabors.imagesharp.2.1.7.nupkg

A new, fully featured, fully managed, cross-platform, 2D graphics API for .NET

Library home page: https://api.nuget.org/packages/sixlabors.imagesharp.2.1.7.nupkg

Path to dependency file: /samples/AlloySampleSite/AlloySampleSite.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/sixlabors.imagesharp/2.1.7/sixlabors.imagesharp.2.1.7.nupkg

Dependency Hierarchy: - EPiServer.CMS-12.29.1 (Root Library) - EPiServer.ImageLibrary.ImageSharp-1.0.1 - :x: **sixlabors.imagesharp.2.1.7.nupkg** (Vulnerable Library)

Found in HEAD commit: 58e425fa6a6519030503272c0026537b3b865752

Found in base branch: main

Vulnerability Details

ImageSharp is a 2D graphics API. A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer. The problem has been patched in v3.1.4 and v2.1.8.

Publish Date: 2024-04-15

URL: CVE-2024-32036

CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr

Release Date: 2024-04-15

Fix Resolution: SixLabors.ImageSharp - 2.1.8,3.1.4

---

Step up your Open Source Security Game with Mend here