CVE-2024-41132 - OpenCVE

ImageSharp is a 2D graphics API. A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usage in the Gif decoder. The vulnerability is triggered when ImageSharp attempts to process image files that are designed to exploit this flaw. All users are advised to upgrade to v3.1.5 or v2.1.9.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sixlabors	Imagesharp

Configuration 1 [-]

OR	cpe:2.3:a:sixlabors:imagesharp::::::::
	cpe:2.3:a:sixlabors:imagesharp::::::::

No data.

References

Link	Providers
https://docs.sixlabors.com/articles/imagesharp.web/processingcommands.html#securing-processing-commands
https://docs.sixlabors.com/articles/imagesharp/security.html
https://github.com/SixLabors/ImageSharp/commit/59de13c8cc47f2b402e2c43aa7024511d029d515
https://github.com/SixLabors/ImageSharp/commit/9816ca45016c5d3859986f3c600e8934bc450a56
https://github.com/SixLabors/ImageSharp/commit/b496109051cc39feee1f6cde48fca6481de17f9a
https://github.com/SixLabors/ImageSharp/pull/2759
https://github.com/SixLabors/ImageSharp/pull/2764
https://github.com/SixLabors/ImageSharp/pull/2770
https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-qxrv-gp6x-rc23

History

Wed, 11 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sixlabors Sixlabors imagesharp
Weaknesses		CWE-770
CPEs		cpe:2.3:a:sixlabors:imagesharp::::::::
Vendors & Products		Sixlabors Sixlabors imagesharp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-22T14:28:25.348Z

Updated: 2024-08-02T04:46:52.026Z

Reserved: 2024-07-15T15:53:28.324Z

Link: CVE-2024-41132

Vulnrichment

Updated: 2024-08-02T04:46:52.026Z

NVD

Status : Analyzed

Published: 2024-07-22T15:15:04.160

Modified: 2024-09-11T15:03:52.927

Link: CVE-2024-41132

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41132", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-15T15:53:28.324Z", "datePublished": "2024-07-22T14:28:25.348Z", "dateUpdated": "2024-08-02T04:46:52.026Z"}, "containers": {"cna": {"title": "SixLabors ImageSharp Allows Excessive Memory Allocation in Gif Decoder", "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-qxrv-gp6x-rc23", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-qxrv-gp6x-rc23"}, {"name": "https://github.com/SixLabors/ImageSharp/pull/2759", "tags": ["x_refsource_MISC"], "url": "https://github.com/SixLabors/ImageSharp/pull/2759"}, {"name": "https://github.com/SixLabors/ImageSharp/pull/2764", "tags": ["x_refsource_MISC"], "url": "https://github.com/SixLabors/ImageSharp/pull/2764"}, {"name": "https://github.com/SixLabors/ImageSharp/pull/2770", "tags": ["x_refsource_MISC"], "url": "https://github.com/SixLabors/ImageSharp/pull/2770"}, {"name": "https://github.com/SixLabors/ImageSharp/commit/59de13c8cc47f2b402e2c43aa7024511d029d515", "tags": ["x_refsource_MISC"], "url": "https://github.com/SixLabors/ImageSharp/commit/59de13c8cc47f2b402e2c43aa7024511d029d515"}, {"name": "https://github.com/SixLabors/ImageSharp/commit/9816ca45016c5d3859986f3c600e8934bc450a56", "tags": ["x_refsource_MISC"], "url": "https://github.com/SixLabors/ImageSharp/commit/9816ca45016c5d3859986f3c600e8934bc450a56"}, {"name": "https://github.com/SixLabors/ImageSharp/commit/b496109051cc39feee1f6cde48fca6481de17f9a", "tags": ["x_refsource_MISC"], "url": "https://github.com/SixLabors/ImageSharp/commit/b496109051cc39feee1f6cde48fca6481de17f9a"}, {"name": "https://docs.sixlabors.com/articles/imagesharp.web/processingcommands.html#securing-processing-commands", "tags": ["x_refsource_MISC"], "url": "https://docs.sixlabors.com/articles/imagesharp.web/processingcommands.html#securing-processing-commands"}, {"name": "https://docs.sixlabors.com/articles/imagesharp/security.html", "tags": ["x_refsource_MISC"], "url": "https://docs.sixlabors.com/articles/imagesharp/security.html"}], "affected": [{"vendor": "SixLabors", "product": "ImageSharp", "versions": [{"version": "< 2.1.9", "status": "affected"}, {"version": ">= 3.0.0, < 3.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-22T14:28:25.348Z"}, "descriptions": [{"lang": "en", "value": "ImageSharp is a 2D graphics API. A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usage in the Gif decoder. The vulnerability is triggered when ImageSharp attempts to process image files that are designed to exploit this flaw. All users are advised to upgrade to v3.1.5 or v2.1.9."}], "source": {"advisory": "GHSA-qxrv-gp6x-rc23", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "sixlabors", "product": "imagesharp", "cpes": ["cpe:2.3:a:sixlabors:imagesharp:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.1.9", "versionType": "custom"}, {"version": "3.0.0", "status": "affected", "lessThan": "3.1.5", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-24T16:48:46.097607Z", "id": "CVE-2024-41132", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T16:49:43.578Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:46:52.026Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-qxrv-gp6x-rc23", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-qxrv-gp6x-rc23"}, {"name": "https://github.com/SixLabors/ImageSharp/pull/2759", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/pull/2759"}, {"name": "https://github.com/SixLabors/ImageSharp/pull/2764", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/pull/2764"}, {"name": "https://github.com/SixLabors/ImageSharp/pull/2770", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/pull/2770"}, {"name": "https://github.com/SixLabors/ImageSharp/commit/59de13c8cc47f2b402e2c43aa7024511d029d515", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/commit/59de13c8cc47f2b402e2c43aa7024511d029d515"}, {"name": "https://github.com/SixLabors/ImageSharp/commit/9816ca45016c5d3859986f3c600e8934bc450a56", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/commit/9816ca45016c5d3859986f3c600e8934bc450a56"}, {"name": "https://github.com/SixLabors/ImageSharp/commit/b496109051cc39feee1f6cde48fca6481de17f9a", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/commit/b496109051cc39feee1f6cde48fca6481de17f9a"}, {"name": "https://docs.sixlabors.com/articles/imagesharp.web/processingcommands.html#securing-processing-commands", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.sixlabors.com/articles/imagesharp.web/processingcommands.html#securing-processing-commands"}, {"name": "https://docs.sixlabors.com/articles/imagesharp/security.html", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.sixlabors.com/articles/imagesharp/security.html"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-qxrv-gp6x-rc23", "name": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-qxrv-gp6x-rc23", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/SixLabors/ImageSharp/pull/2759", "name": "https://github.com/SixLabors/ImageSharp/pull/2759", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/SixLabors/ImageSharp/pull/2764", "name": "https://github.com/SixLabors/ImageSharp/pull/2764", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/SixLabors/ImageSharp/pull/2770", "name": "https://github.com/SixLabors/ImageSharp/pull/2770", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/SixLabors/ImageSharp/commit/59de13c8cc47f2b402e2c43aa7024511d029d515", "name": "https://github.com/SixLabors/ImageSharp/commit/59de13c8cc47f2b402e2c43aa7024511d029d515", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/SixLabors/ImageSharp/commit/9816ca45016c5d3859986f3c600e8934bc450a56", "name": "https://github.com/SixLabors/ImageSharp/commit/9816ca45016c5d3859986f3c600e8934bc450a56", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/SixLabors/ImageSharp/commit/b496109051cc39feee1f6cde48fca6481de17f9a", "name": "https://github.com/SixLabors/ImageSharp/commit/b496109051cc39feee1f6cde48fca6481de17f9a", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://docs.sixlabors.com/articles/imagesharp.web/processingcommands.html#securing-processing-commands", "name": "https://docs.sixlabors.com/articles/imagesharp.web/processingcommands.html#securing-processing-commands", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://docs.sixlabors.com/articles/imagesharp/security.html", "name": "https://docs.sixlabors.com/articles/imagesharp/security.html", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:46:52.026Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41132", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-24T16:48:46.097607Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sixlabors:imagesharp:*:*:*:*:*:*:*:*"], "vendor": "sixlabors", "product": "imagesharp", "versions": [{"status": "affected", "version": "0", "lessThan": "2.1.9", "versionType": "custom"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.1.5", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T16:49:38.295Z"}}], "cna": {"title": "SixLabors ImageSharp Allows Excessive Memory Allocation in Gif Decoder", "source": {"advisory": "GHSA-qxrv-gp6x-rc23", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "SixLabors", "product": "ImageSharp", "versions": [{"status": "affected", "version": "< 2.1.9"}, {"status": "affected", "version": ">= 3.0.0, < 3.1.5"}]}], "references": [{"url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-qxrv-gp6x-rc23", "name": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-qxrv-gp6x-rc23", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/SixLabors/ImageSharp/pull/2759", "name": "https://github.com/SixLabors/ImageSharp/pull/2759", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/SixLabors/ImageSharp/pull/2764", "name": "https://github.com/SixLabors/ImageSharp/pull/2764", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/SixLabors/ImageSharp/pull/2770", "name": "https://github.com/SixLabors/ImageSharp/pull/2770", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/SixLabors/ImageSharp/commit/59de13c8cc47f2b402e2c43aa7024511d029d515", "name": "https://github.com/SixLabors/ImageSharp/commit/59de13c8cc47f2b402e2c43aa7024511d029d515", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/SixLabors/ImageSharp/commit/9816ca45016c5d3859986f3c600e8934bc450a56", "name": "https://github.com/SixLabors/ImageSharp/commit/9816ca45016c5d3859986f3c600e8934bc450a56", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/SixLabors/ImageSharp/commit/b496109051cc39feee1f6cde48fca6481de17f9a", "name": "https://github.com/SixLabors/ImageSharp/commit/b496109051cc39feee1f6cde48fca6481de17f9a", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.sixlabors.com/articles/imagesharp.web/processingcommands.html#securing-processing-commands", "name": "https://docs.sixlabors.com/articles/imagesharp.web/processingcommands.html#securing-processing-commands", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.sixlabors.com/articles/imagesharp/security.html", "name": "https://docs.sixlabors.com/articles/imagesharp/security.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ImageSharp is a 2D graphics API. A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usage in the Gif decoder. The vulnerability is triggered when ImageSharp attempts to process image files that are designed to exploit this flaw. All users are advised to upgrade to v3.1.5 or v2.1.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-22T14:28:25.348Z"}}}, "cveMetadata": {"cveId": "CVE-2024-41132", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:46:52.026Z", "dateReserved": "2024-07-15T15:53:28.324Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-22T14:28:25.348Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sixlabors:imagesharp:*:*:*:*:*:*:*:*", "matchCriteriaId": "31448E6E-6851-4531-A627-96FFEB568E92", "versionEndExcluding": "2.1.9", "versionStartIncluding": "2.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sixlabors:imagesharp:*:*:*:*:*:*:*:*", "matchCriteriaId": "385975D3-74DE-436B-8D5E-612F3F3757AD", "versionEndExcluding": "3.1.5", "versionStartIncluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageSharp is a 2D graphics API. A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usage in the Gif decoder. The vulnerability is triggered when ImageSharp attempts to process image files that are designed to exploit this flaw. All users are advised to upgrade to v3.1.5 or v2.1.9."}, {"lang": "es", "value": " ImageSharp es una API de gr\u00e1ficos 2D. Una vulnerabilidad descubierta en la librer\u00eda ImageSharp, donde el procesamiento de archivos especialmente manipulados puede provocar un uso excesivo de memoria en el decodificador Gif. La vulnerabilidad se activa cuando ImageSharp intenta procesar archivos de imagen dise\u00f1ados para explotar este fallo. Se recomienda a todos los usuarios que actualicen a v3.1.5 o v2.1.9."}], "id": "CVE-2024-41132", "lastModified": "2024-09-11T15:03:52.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-22T15:15:04.160", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://docs.sixlabors.com/articles/imagesharp.web/processingcommands.html#securing-processing-commands"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://docs.sixlabors.com/articles/imagesharp/security.html"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/SixLabors/ImageSharp/commit/59de13c8cc47f2b402e2c43aa7024511d029d515"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/SixLabors/ImageSharp/commit/9816ca45016c5d3859986f3c600e8934bc450a56"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/SixLabors/ImageSharp/commit/b496109051cc39feee1f6cde48fca6481de17f9a"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/SixLabors/ImageSharp/pull/2759"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/SixLabors/ImageSharp/pull/2764"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/SixLabors/ImageSharp/pull/2770"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-qxrv-gp6x-rc23"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Secondary"}]}