{ "schema_version": "1.4.0", "id": "GHSA-65x7-c272-7g7r", "modified": "2024-03-06T21:57:21Z", "published": "2024-03-05T16:26:15Z", "aliases": [ "CVE-2024-27929" ], "summary": "Use After Free in SixLabors.ImageSharp", "details": "### Impact\nA heap-use-after-free flaw was found in ImageSharp's InitializeImage() function of PngDecoderCore.cs file. This vulnerability is triggered when an attacker passes a specially crafted PNG image file to ImageSharp for conversion, potentially leading to information disclosure.\n\n### Patches\nThe problem has been patched. All users are advised to upgrade to v3.1.3 or v2.1.7.\n\n### Workarounds\nNone\n\n### References\nNone\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H" } ], "affected": [ { "package": { "ecosystem": "NuGet", "name": "SixLabors.ImageSharp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.1.3" } ] } ] }, { "package": { "ecosystem": "NuGet", "name": "SixLabors.ImageSharp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.1.7" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-65x7-c272-7g7r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27929" }, { "type": "WEB", "url": "https://github.com/SixLabors/ImageSharp/pull/2688" }, { "type": "PACKAGE", "url": "https://github.com/SixLabors/ImageSharp" } ], "database_specific": { "cwe_ids": [ "CWE-416" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-03-05T16:26:15Z", "nvd_published_at": "2024-03-05T17:15:07Z" } }