CVE-2024-32036 - Vulnerability Details - OpenCVE

ImageSharp is a 2D graphics API. A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer. The problem has been patched in v3.1.4 and v2.1.8.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sixlabors	Imagesharp

Configuration 1 [-]

OR	cpe:2.3:a:sixlabors:imagesharp::::::::
	cpe:2.3:a:sixlabors:imagesharp::::::::

No data.

References

Link	Providers
https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68
https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba
https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr

History

Thu, 09 Jan 2025 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sixlabors Sixlabors imagesharp
Weaknesses		CWE-212
CPEs		cpe:2.3:a:sixlabors:imagesharp::::::::
Vendors & Products		Sixlabors Sixlabors imagesharp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-15T20:08:44.284Z

Updated: 2024-08-02T02:06:42.826Z

Reserved: 2024-04-09T15:29:35.939Z

Link: CVE-2024-32036

Vulnrichment

Updated: 2024-08-02T02:06:42.826Z

NVD

Status : Analyzed

Published: 2024-04-15T20:15:11.543

Modified: 2025-01-09T18:14:46.097

Link: CVE-2024-32036

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32036", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-09T15:29:35.939Z", "datePublished": "2024-04-15T20:08:44.284Z", "dateUpdated": "2024-08-02T02:06:42.826Z"}, "containers": {"cna": {"title": "SixLabors.ImageSharp vulnerable to data leakage", "problemTypes": [{"descriptions": [{"cweId": "CWE-226", "lang": "en", "description": "CWE-226: Sensitive Information in Resource Not Removed Before Reuse", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr"}, {"name": "https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68", "tags": ["x_refsource_MISC"], "url": "https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68"}, {"name": "https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba", "tags": ["x_refsource_MISC"], "url": "https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba"}], "affected": [{"vendor": "SixLabors", "product": "ImageSharp", "versions": [{"version": "< 2.1.8", "status": "affected"}, {"version": ">= 3.0.0, < 3.1.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-16T22:58:38.425Z"}, "descriptions": [{"lang": "en", "value": "ImageSharp is a 2D graphics API. A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer. The problem has been patched in v3.1.4 and v2.1.8."}], "source": {"advisory": "GHSA-5x7m-6737-26cr", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32036", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-23T19:48:40.487832Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sixlabors:imagesharp:-:*:*:*:*:*:*:*"], "vendor": "sixlabors", "product": "imagesharp", "versions": [{"status": "affected", "version": "0", "lessThan": "2.1.8", "versionType": "semver"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:sixlabors:imagesharp:3.0.0:*:*:*:*:*:*:*"], "vendor": "sixlabors", "product": "imagesharp", "versions": [{"status": "affected", "version": "3.0.0", "versionType": "semver", "lessThanOrEqual": "3.1.4"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:50:18.733Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:06:42.826Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr"}, {"name": "https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68"}, {"name": "https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr", "name": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68", "name": "https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba", "name": "https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:06:42.826Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32036", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-23T19:48:40.487832Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sixlabors:imagesharp:-:*:*:*:*:*:*:*"], "vendor": "sixlabors", "product": "imagesharp", "versions": [{"status": "affected", "version": "0", "lessThan": "2.1.8", "versionType": "semver"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:sixlabors:imagesharp:3.0.0:*:*:*:*:*:*:*"], "vendor": "sixlabors", "product": "imagesharp", "versions": [{"status": "affected", "version": "3.0.0", "versionType": "semver", "lessThanOrEqual": "3.1.4"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-23T19:47:48.960Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "SixLabors.ImageSharp vulnerable to data leakage", "source": {"advisory": "GHSA-5x7m-6737-26cr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "SixLabors", "product": "ImageSharp", "versions": [{"status": "affected", "version": "< 2.1.8"}, {"status": "affected", "version": ">= 3.0.0, < 3.1.4"}]}], "references": [{"url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr", "name": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68", "name": "https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba", "name": "https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ImageSharp is a 2D graphics API. A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer. The problem has been patched in v3.1.4 and v2.1.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-226", "description": "CWE-226: Sensitive Information in Resource Not Removed Before Reuse"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-16T22:58:38.425Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32036", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:06:42.826Z", "dateReserved": "2024-04-09T15:29:35.939Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-04-15T20:08:44.284Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sixlabors:imagesharp:*:*:*:*:*:*:*:*", "matchCriteriaId": "A06E81B0-6C7F-43A9-B154-E5BF07241973", "versionEndExcluding": "2.1.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:sixlabors:imagesharp:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDB61675-C17E-41D0-AFBF-24E39F753A0A", "versionEndExcluding": "3.1.4", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageSharp is a 2D graphics API. A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer. The problem has been patched in v3.1.4 and v2.1.8."}, {"lang": "es", "value": "ImageSharp es una API de gr\u00e1ficos 2D. Se encontr\u00f3 una falla de heap-use-after-free en los decodificadores JPEG y TGA de ImageSharp. Esta vulnerabilidad se activa cuando un atacante pasa un archivo de imagen JPEG o TGA especialmente manipulado a ImageSharp para su conversi\u00f3n, lo que podr\u00eda provocar la divulgaci\u00f3n de informaci\u00f3n. El problema se solucion\u00f3 en v3.1.4 y v2.1.8."}], "id": "CVE-2024-32036", "lastModified": "2025-01-09T18:14:46.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-15T20:15:11.543", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-226"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-212"}], "source": "nvd@nist.gov", "type": "Primary"}]}