SB2024042413 - Multiple vulnerabilities in ImageSharp
Published: April 24, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Uncontrolled Memory Allocation (CVE-ID: CVE-2024-32035)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a memory allocation with excessive size value in SixLabors.ImageSharp. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
2) Information disclosure (CVE-ID: CVE-2024-32036)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to buffers not cleared before reuse in SixLabors.ImageSharp. A remote attacker can gain unauthorized access to sensitive information on the system.
Remediation
Install update from vendor's website.
References
- https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-g85r-6x2q-45w7
- https://github.com/SixLabors/ImageSharp/commit/b6b08ac3e7cea8da5ac1e90f7c0b67dd254535c3
- https://github.com/SixLabors/ImageSharp/commit/f21d64188e59ae9464ff462056a5e29d8e618b27
- https://docs.sixlabors.com/articles/imagesharp.web/processingcommands.html#securing-processing-commands
- https://docs.sixlabors.com/articles/imagesharp/security.html
- https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr
- https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68
- https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba