GitHub Advisory DatabaseGHSA-G4M4-9Q4C-MFW6Fiona affected by CVE-2020-14152 related to madler-zlib
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
AI Score
Confidence
High
Summary
Vulnerability scan of fiona shows CVE-2020-14152. The vulnerability is in libjpeg, a transitive dependency of fiona (via GDAL and PROJ).
Details
In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption.
Impact
fiona will not open JPEG files and is not vulnerable to attack in that way. fiona might be vulnerable to malformed PROJ grid files using JPEG compression. No such vulnerability or compromise has been demonstrated.
Affected configurations
References
github.com/advisories/GHSA-g4m4-9q4c-mfw6
github.com/libjpeg-turbo/libjpeg-turbo/commit/da2a27ef056a0179cbd80f9146e58b89403d9933
github.com/libjpeg-turbo/libjpeg-turbo/issues/500
github.com/OSGeo/gdal/commit/075480a3cba13c9dd2ab4e39e92d6147a6c98eca
github.com/Toblerity/Fiona/commit/07708211726e276e22dedb9cd567b4f6a7b8c809
github.com/Toblerity/Fiona/security/advisories/GHSA-g4m4-9q4c-mfw6
nvd.nist.gov/vuln/detail/CVE-2020-14152
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:N/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
AI Score
Confidence
High