Lucene search

Veracode Vulnerability DatabaseVERACODE:43617

HistoryOct 09, 2023 - 6:38 a.m.

Denial Of Service (DoS)

2023-10-0906:38:37

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

denial of service

libvips.so

vulnerability

utf-8

character handling

svgload.c

validation

malformed characters

application crash

arbitrary code

security flaw

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

5.1%

JSON

libvips.so is vulnerable to Denial of Service (DoS). The vulnerability is due improper UTF-8 character handling in svgload.c because it does not properly validate malformed characters, which allows an attacker to cause an application crash or potentially execute arbitrary code.

CPENameOperatorVersion
libvips.sole42.16.3
libvips.sole42.16.3

CPE	Name	Operator	Version
	libvips.so	le	42.16.3
	libvips.so	le	42.16.3

References

bugzilla.suse.com/show_bug.cgi?id=1215232

github.com/libvips/libvips/commit/e091d65835966ef56d53a4105a7362cafdb1582b

github.com/libvips/libvips/pull/3604

github.com/libvips/libvips/security/advisories/GHSA-33qp-9pq7-9584

lists.fedoraproject.org/archives/list/[email protected]/message/YU2FFC47X2XDEGEHEWAGLU5L3R6FEYD2/

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

5.1%

JSON

Related for VERACODE:43617