migrate icon indicating copy to clipboard operation
migrate copied to clipboard

Published 20 hours ago verified publisher icon TryGhost

Request for Issue: Heap-based Buffer Overflow vulnerability in sharp

Open camgrimsec opened this issue 10 months ago • 0 comments

Introduction: This is a request to address a vulnerability in the sharp package, specifically related to a Heap-based Buffer Overflow. This vulnerability is identified with a CVSS score of 9.6 (Critical Severity) by Snyk and 8.8 (High Severity) by NVD.

Details: The vulnerability is introduced through @tryghost/[email protected] and affects versions of sharp prior to 0.32.6.

Exploit Maturity: The exploit maturity is identified as Mature.

Detailed Paths and Remediation:

Introduced through: @tryghost/[email protected] › @tryghost/[email protected][email protected]. Fix: Upgrade to @tryghost/[email protected].
Introduced through: @tryghost/[email protected] › @tryghost/[email protected] › @tryghost/[email protected][email protected]. Fix: Upgrade to @tryghost/[email protected].

Security Information:

Snyk: CVSS 9.6 - Critical Severity
NVD: CVSS 8.8 - High Severity

Overview: sharp is a High performance Node.js image processing, the fastest module to resize JPEG, PNG, WebP, GIF, AVIF, and TIFF images.

Vulnerability Description: Affected versions of this package are vulnerable to a Heap-based Buffer Overflow when the ReadHuffmanCodes() function is used. An attacker can exploit this vulnerability by crafting a special WebP lossless file that triggers the ReadHuffmanCodes() function, leading to a heap-based buffer overflow. This vulnerability can potentially allow arbitrary code execution.

Remediation: Upgrade to version 0.32.6 or later of sharp to fix this vulnerability. Additionally, upgrade @tryghost/mg-fs-utils to versions 0.12.18 or 0.12.14 as indicated for the respective paths.

Proposed Changes: Create an issue in the project repository to track the resolution of this vulnerability. This issue should outline the steps needed to mitigate the vulnerability, including upgrading sharp and @tryghost/mg-fs-utils to the recommended versions.

Changelog:

2023-09-12: Initial advisory publication
2023-09-27: Advisory details updated, including CVSS, references
2023-09-27: CVE-2023-5129 rejected as a duplicate of CVE-2023-4863
2023-09-28: Research and addition of additional affected libraries
2024-01-28: Additional fix information

camgrimsec avatar Mar 30 '24 09:03 camgrimsec