Skip to content

CVE-2020-8175 (Medium) detected in jpeg-js-0.1.2.tgz - autoclosed #111

Description

@mend-bolt-for-github

CVE-2020-8175 - Medium Severity Vulnerability

Vulnerable Library - jpeg-js-0.1.2.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jpeg-js/package.json

Dependency Hierarchy:

  • get-image-colors-1.8.1.tgz (Root Library)
    • get-pixels-3.3.0.tgz
      • jpeg-js-0.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 71f8e55081842320cf2d0ade0626b67d0274d5e4

Found in base branch: master

Vulnerability Details

Uncontrolled resource consumption in jpeg-js before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.

Publish Date: 2020-07-24

URL: CVE-2020-8175

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8175

Release Date: 2020-07-27

Fix Resolution (jpeg-js): 0.4.0

Direct dependency fix Resolution (get-image-colors): 2.0.0


Step up your Open Source Security Game with WhiteSource here

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions