Lucene search

K
githubGitHub Advisory DatabaseGHSA-F9PM-4G9P-6VM3
HistoryOct 06, 2023 - 4:59 p.m.

Bundled libwebp in pywebp vulnerable

2023-10-0616:59:22
GitHub Advisory Database
github.com
26
pywebp
libwebp
vulnerability
heap buffer overflow
remote attacker
memory write
patch
upgrade

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.629

Percentile

97.9%

Impact

pywebp versions before v0.3.0 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. The vulnerability was a heap buffer overflow which allowed a remote attacker to perform an out of bounds memory write.

Patches

The problem has been patched upstream in libwebp 1.3.2.
pywebp was updated to bundle a patched version of libwebp in v0.3.0.

Workarounds

No known workarounds without upgrading.

References

Affected configurations

Vulners
Node
webpRange<0.3.0
VendorProductVersionCPE
*webp*cpe:2.3:a:*:webp:*:*:*:*:*:*:*:*

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.629

Percentile

97.9%