scriptex/rollup-mpa

CVE-2020-8175 (Medium) detected in jpeg-js-0.0.4.tgz, jpeg-js-0.3.7.tgz

Closed this issue · 0 comments

mend-bolt-for-github commented

CVE-2020-8175 - Medium Severity Vulnerability

Vulnerable Libraries - jpeg-js-0.0.4.tgz, jpeg-js-0.3.7.tgz

jpeg-js-0.0.4.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.0.4.tgz

Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json

Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/save-pixels/node_modules/jpeg-js/package.json

Dependency Hierarchy:

  • rollup-plugin-sprite-0.1.2.tgz (Root Library)
    • spritesmith-3.4.0.tgz
      • pixelsmith-2.4.1.tgz
        • save-pixels-2.3.4.tgz
          • jpeg-js-0.0.4.tgz (Vulnerable Library)
jpeg-js-0.3.7.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.3.7.tgz

Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json

Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/jpeg-js/package.json

Dependency Hierarchy:

  • rollup-plugin-sprite-0.1.2.tgz (Root Library)
    • spritesmith-3.4.0.tgz
      • pixelsmith-2.4.1.tgz
        • get-pixels-3.3.2.tgz
          • jpeg-js-0.3.7.tgz (Vulnerable Library)

Found in HEAD commit: 1a7521989b3ada35de3a187c8efbbe5d6e48a0d5

Vulnerability Details

Uncontrolled resource consumption in jpeg-js before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.

Publish Date: 2020-07-24

URL: CVE-2020-8175

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8175

Release Date: 2020-07-21

Fix Resolution: 0.4.0

Step up your Open Source Security Game with WhiteSource here