Lucene search

K
osvGoogleOSV:GHSA-G4M4-9Q4C-MFW6
HistoryJul 16, 2024 - 7:32 p.m.

Fiona affected by CVE-2020-14152 related to madler-zlib

2024-07-1619:32:22
Google
osv.dev
12
fiona
cve-2020-14152
madler-zlib
vulnerability
scan
ijg jpeg
libjpeg
excessive memory consumption
software

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

CVSS3

7.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

AI Score

7

Confidence

High

Summary

Vulnerability scan of fiona shows CVE-2020-14152. The vulnerability is in libjpeg, a transitive dependency of fiona (via GDAL and PROJ).

Details

In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption.

Impact

fiona will not open JPEG files and is not vulnerable to attack in that way. fiona might be vulnerable to malformed PROJ grid files using JPEG compression. No such vulnerability or compromise has been demonstrated.

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

CVSS3

7.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

AI Score

7

Confidence

High