ROSA LABROSA-SA-2023-2184Advisory ROSA-SA-2023-2184
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
77.6%
Software: libwebp 1.0.0
OS: ROSA Virtualization 2.1
package_evr_string: libwebp-1.0.0.0-8.rv3.src.rpm
CVE-ID: CVE-2020-36329
BDU-ID: 2021-03101
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the libwebp library for WebP image encoding and decoding is related to memory usage after memory is freed. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code by creating a specially crafted file
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update libwebp command
CVE-ID: CVE-2020-36330
BDU-ID: 2021-03104
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the libwebp library for WebP image encoding and decoding is related to reading beyond buffer boundaries in memory. Exploitation of the vulnerability could allow an attacker acting remotely to access sensitive information by creating a specially crafted file
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update libwebp command
CVE-ID: CVE-2020-36331
BDU-ID: 2021-03105
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the libwebp library for WebP image encoding and decoding is related to reading beyond buffer boundaries in memory. Exploitation of the vulnerability could allow an attacker acting remotely to access sensitive information by creating a specially crafted file
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update libwebp command
CVE-ID: CVE-2020-36332
BDU-ID: 2021-03107
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the libwebp library for WebP image encoding and decoding is associated with uncontrolled resource consumption. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update libwebp command
CVE-ID: CVE-2023-1999
BDU-ID: None
CVE-Crit: HIGH
CVE-DESC.: An attacker could use ApplyFiltersAndEncode() and cyclically release best.bw and assign the pointer best = Trial. The second loop would then return 0 due to a “Not enough memory” error in the VP8 encoder, the pointer is still assigned to Trial, and AddressSanitizer would attempt a double release.
CVE-STATUS: Fixed
CVE-REV: Run the yum update libwebp command to close it
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
77.6%