GHSA-g4m4-9q4c-mfw6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g4m4-9q4c-mfw6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-g4m4-9q4c-mfw6/GHSA-g4m4-9q4c-mfw6.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-g4m4-9q4c-mfw6
- Published
- 2024-07-16T19:32:22Z
- Modified
- 2024-12-01T05:35:40.451818Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Fiona affected by CVE-2020-14152 related to madler-zlib
- Details
-
Summary
Vulnerability scan of fiona shows CVE-2020-14152. The vulnerability is in libjpeg, a transitive dependency of fiona (via GDAL and PROJ).
Details
In IJG JPEG (aka libjpeg) before 9d, jpegmemavailable() in jmemnobs.c in djpeg does not honor the maxmemoryto_use setting, possibly causing excessive memory consumption.
Impact
fiona will not open JPEG files and is not vulnerable to attack in that way. fiona might be vulnerable to malformed PROJ grid files using JPEG compression. No such vulnerability or compromise has been demonstrated.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-400" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-07-16T19:32:22Z" }- References
-
- https://github.com/Toblerity/Fiona/security/advisories/GHSA-g4m4-9q4c-mfw6
- https://nvd.nist.gov/vuln/detail/CVE-2020-14152
- https://github.com/libjpeg-turbo/libjpeg-turbo/issues/500
- https://github.com/OSGeo/gdal/commit/075480a3cba13c9dd2ab4e39e92d6147a6c98eca
- https://github.com/Toblerity/Fiona/commit/07708211726e276e22dedb9cd567b4f6a7b8c809
- https://github.com/libjpeg-turbo/libjpeg-turbo/commit/da2a27ef056a0179cbd80f9146e58b89403d9933
- https://github.com/Toblerity/Fiona
Affected packages
PyPI / fiona
Package
- Name
- fiona
- View open source insights on deps.dev
- Purl
- pkg:pypi/fiona
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.10b2
Affected versions
0.*
0.5
0.6
0.6.1
0.6.2
0.7
0.8
0.9
0.9.1
0.10
0.12
0.12.1
0.13
0.14
0.15
0.16
0.16.1
1.*
1.0
1.0.1
1.0.2
1.0.3
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2.0
1.3.0
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.5.0
1.5.1
1.6.0
1.6.1
1.6.2
1.6.3
1.6.3.post1
1.6.4
1.7.0
1.7.0.post1
1.7.0.post2
1.7.1
1.7.1.post1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.7.9.post1
1.7.10
1.7.10.post1
1.7.11
1.7.11.post1
1.7.11.post2
1.7.12
1.7.13
1.8b1
1.8b2
1.8rc1
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.8.8
1.8.9
1.8.9.post1
1.8.9.post2
1.8.10
1.8.11
1.8.12
1.8.13
1.8.13.post1
1.8.14
1.8.15
1.8.16
1.8.17
1.8.18
1.8.19
1.8.20
1.8.21
1.8.22
1.9a1
1.9a2
1.9a3
1.9b1
1.9b2
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.4.post1
1.9.5
1.9.6
1.10a1
1.10a2
1.10b1