CVE-2024-41132

SixLabors ImageSharp Allows Excessive Memory Allocation in Gif Decoder

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

ImageSharp is a 2D graphics API. A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usage in the Gif decoder. The vulnerability is triggered when ImageSharp attempts to process image files that are designed to exploit this flaw. All users are advised to upgrade to v3.1.5 or v2.1.9.

ImageSharp es una API de gráficos 2D. Una vulnerabilidad descubierta en la librería ImageSharp, donde el procesamiento de archivos especialmente manipulados puede provocar un uso excesivo de memoria en el decodificador Gif. La vulnerabilidad se activa cuando ImageSharp intenta procesar archivos de imagen diseñados para explotar este fallo. Se recomienda a todos los usuarios que actualicen a v3.1.5 o v2.1.9.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-07-15 CVE Reserved
2024-07-22 CVE Published
2024-08-02 CVE Updated
2024-09-12 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-789: Memory Allocation with Excessive Size Value

CAPEC

References (9)

URL	Tag	Source
https://docs.sixlabors.com/articles/imagesharp.web/processingcommands.html#securing-processing-commands	X_refsource_misc
https://docs.sixlabors.com/articles/imagesharp/security.html	X_refsource_misc
https://github.com/SixLabors/ImageSharp/commit/59de13c8cc47f2b402e2c43aa7024511d029d515	X_refsource_misc
https://github.com/SixLabors/ImageSharp/commit/9816ca45016c5d3859986f3c600e8934bc450a56	X_refsource_misc
https://github.com/SixLabors/ImageSharp/commit/b496109051cc39feee1f6cde48fca6481de17f9a	X_refsource_misc
https://github.com/SixLabors/ImageSharp/pull/2759	X_refsource_misc
https://github.com/SixLabors/ImageSharp/pull/2764	X_refsource_misc
https://github.com/SixLabors/ImageSharp/pull/2770	X_refsource_misc
https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-qxrv-gp6x-rc23	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
SixLabors Search vendor "SixLabors"		ImageSharp Search vendor "SixLabors" for product "ImageSharp"				< 2.1.9 Search vendor "SixLabors" for product "ImageSharp" and version " < 2.1.9"		en		Affected
SixLabors Search vendor "SixLabors"		ImageSharp Search vendor "SixLabors" for product "ImageSharp"				>= 3.0.0 < 3.1.5 Search vendor "SixLabors" for product "ImageSharp" and version " >= 3.0.0 < 3.1.5"		en		Affected