sharp-0.29.3.tgz: 1 vulnerabilities (highest severity is: 6.7) - autoclosed
Closed this issue · 1 comments
Vulnerable Library - sharp-0.29.3.tgz
High performance Node.js image processing, the fastest module to resize JPEG, PNG, WebP, AVIF and TIFF images
Library home page: https://registry.npmjs.org/sharp/-/sharp-0.29.3.tgz
Found in HEAD commit: 0f996ffb9df1029c1a757c0161d57d02cd0cc908
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (sharp version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-29256 | Medium | 6.7 | sharp-0.29.3.tgz | Direct | 0.30.5 | ❌ |
Details
CVE-2022-29256
Vulnerable Library - sharp-0.29.3.tgz
High performance Node.js image processing, the fastest module to resize JPEG, PNG, WebP, AVIF and TIFF images
Library home page: https://registry.npmjs.org/sharp/-/sharp-0.29.3.tgz
Dependency Hierarchy:
- ❌ sharp-0.29.3.tgz (Vulnerable Library)
Found in HEAD commit: 0f996ffb9df1029c1a757c0161d57d02cd0cc908
Found in base branch: main
Vulnerability Details
sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at npm install
time when installing versions of sharp
prior to the latest v0.30.5. If an attacker has the ability to set the value of the PKG_CONFIG_PATH
environment variable in a build environment then they might be able to use this to inject an arbitrary command at npm install
time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5.
Publish Date: 2022-05-25
URL: CVE-2022-29256
CVSS 3 Score Details (6.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29256
Release Date: 2022-05-25
Fix Resolution: 0.30.5
Step up your Open Source Security Game with Mend here
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.