CVE-2024-32036

SixLabors.ImageSharp vulnerable to data leakage

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

ImageSharp is a 2D graphics API. A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer. The problem has been patched in v3.1.4 and v2.1.8.

ImageSharp es una API de gráficos 2D. Se encontró una falla de heap-use-after-free en los decodificadores JPEG y TGA de ImageSharp. Esta vulnerabilidad se activa cuando un atacante pasa un archivo de imagen JPEG o TGA especialmente manipulado a ImageSharp para su conversión, lo que podría provocar la divulgación de información. El problema se solucionó en v3.1.4 y v2.1.8.

*Credits: N/A

CVSS Scores

GitHubv3.1 5.3

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-09 CVE Reserved
2024-04-15 CVE Published
2024-04-16 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-226: Sensitive Information in Resource Not Removed Before Reuse

CAPEC

References (3)

URL	Tag	Source
https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68	X_refsource_misc
https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba	X_refsource_misc
https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
SixLabors Search vendor "SixLabors"		ImageSharp Search vendor "SixLabors" for product "ImageSharp"				< 2.1.8 Search vendor "SixLabors" for product "ImageSharp" and version " < 2.1.8"		en		Affected
SixLabors Search vendor "SixLabors"		ImageSharp Search vendor "SixLabors" for product "ImageSharp"				>= 3.0.0 < 3.1.4 Search vendor "SixLabors" for product "ImageSharp" and version " >= 3.0.0 < 3.1.4"		en		Affected