Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:nuget/Imageflow.NativeRuntime.ubuntu_18_04-x86_64-haswell@1.1.0-rc18
Typenuget
Namespace
NameImageflow.NativeRuntime.ubuntu_18_04-x86_64-haswell
Version1.1.0-rc18
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.0.0-preview8
Latest_non_vulnerable_version2.0.0-preview8
Affected_by_vulnerabilities
0
url VCID-vcz4-8rd8-quh4
vulnerability_id VCID-vcz4-8rd8-quh4
summary 
Imageflow affected by libwebp zero-day and should not be used with malicious source images.
### Impact

This vulnerability affects deployments of Imageflow that involve decoding or processing malicious source .webp files. If you only process your own trusted files, this should not affect you (but you should update anyway). 

Imageflow relies on Google's [libwebp] library to decode .webp images, and is affected by the recent zero-day out-of-bounds write vulnerability [CVE-2023-4863](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) and https://github.com/advisories/GHSA-j7hp-h8jx-5ppr. The libwebp vulnerability also affects Chrome, Android, macOS, and other consumers of the library).

libwebp patched [the vulnerability](https://github.com/webmproject/libwebp/commit/2af26267cdfcb63a88e5c74a85927a12d6ca1d76 ) and released [1.3.2](https://github.com/webmproject/libwebp/releases/tag/v1.3.2) 

This was patched in [libwebp-sys in 0.9.3 and 0.9.4](https://github.com/NoXF/libwebp-sys/commits/master)

**[Imageflow v2.0.0-preview8](https://github.com/imazen/imageflow/releases/tag/v2.0.0-preview8) uses the patched version of libwebp as well as updated versions of all dependencies.**

Note: preview 8 requires libc 2.31 or higher on linux and macOS 11 or higher. These restrictions are due to the oldest supported versions of those platforms (which is reflected on Github Actions).

### Patches

**Imageflow v2.0.0-preview8 use the patched version (v1.3.2) of libwebp and libwebp-sys 0.9.4.**
**Imageflow.AllPlatforms 0.10.2 is patched**
**Imageflow.Server v0.8.2 is patched**
**ImageResizer.Plugins.Imageflow 5.0.12 is patched**

### Workarounds

Disable webp decoding using `EnabledCodecs::disable_decoder(NamedDecoders::WebPDecoder)` if using the Rust API. 

Only files that meet the following criteria will be passed to libwebp: 

```rust
bytes.starts_with(b"RIFF") && bytes[8..12].starts_with(b"WEBP")
```

You can utilize matching logic to block webp inputs in your language of choice.

### References

https://github.com/advisories/GHSA-j7hp-h8jx-5ppr
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://github.com/webmproject/libwebp/commit/2af26267cdfcb63a88e5c74a85927a12d6ca1d76 
https://github.com/NoXF/libwebp-sys/commits/master
references
0
reference_url https://github.com/imazen/imageflow
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/imazen/imageflow
1
reference_url https://github.com/imazen/imageflow/commit/24894940403a8491fd6495759b8f996ea2da8ad8
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/imazen/imageflow/commit/24894940403a8491fd6495759b8f996ea2da8ad8
2
reference_url https://github.com/imazen/imageflow/security/advisories/GHSA-7vpr-3ppw-qrpj
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/imazen/imageflow/security/advisories/GHSA-7vpr-3ppw-qrpj
3
reference_url https://github.com/advisories/GHSA-7vpr-3ppw-qrpj
reference_id GHSA-7vpr-3ppw-qrpj
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7vpr-3ppw-qrpj
fixed_packages
0
url pkg:nuget/Imageflow.NativeRuntime.ubuntu_18_04-x86_64-haswell@2.0.0-preview8
purl pkg:nuget/Imageflow.NativeRuntime.ubuntu_18_04-x86_64-haswell@2.0.0-preview8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/Imageflow.NativeRuntime.ubuntu_18_04-x86_64-haswell@2.0.0-preview8
aliases GHSA-7vpr-3ppw-qrpj, GMS-2023-2705, GMS-2023-2706, GMS-2023-2707, GMS-2023-2708, GMS-2023-2709, GMS-2023-2710, GMS-2023-2711, GMS-2023-2712, GMS-2023-2713, GMS-2023-2714, GMS-2023-2715, GMS-2023-2716, GMS-2023-2717, GMS-2023-2718, GMS-2023-2719, GMS-2023-2720, GMS-2023-2721, GMS-2023-2722, GMS-2023-2723, GMS-2023-2724, GMS-2023-2725
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vcz4-8rd8-quh4
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:nuget/Imageflow.NativeRuntime.ubuntu_18_04-x86_64-haswell@1.1.0-rc18