Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is a vulnerability in jpeg-js since node-thumbnail requires an old version of jimp #45

Open
Poikilos opened this issue Jul 26, 2021 · 0 comments
Open

There is a vulnerability in jpeg-js since node-thumbnail requires an old version of jimp #45

Poikilos opened this issue Jul 26, 2021 · 0 comments

Comments

@Poikilos
Copy link

Poikilos commented Jul 26, 2021
edited
Loading

I got this one from dependabot: GHSA-w7q9-p3jq-fmhm

https://github.com/poikilos/artspatter/security/dependabot/yarn.lock/jpeg-js/open:

Dependabot cannot update jpeg-js to a non-vulnerable version

The latest possible version that can be installed is 0.2.0 because of the following conflicting dependency:

[email protected] requires jpeg-js@^0.2.0 via a transitive dependency on [email protected]

The earliest fixed version is 0.4.0.

View logs or learn more about troubleshooting Dependabot errors.

1 jpeg-js vulnerability found in yarn.lock on Dec 23, 2020

Remediation

Upgrade jpeg-js to version 0.4.0 or later. For example:

jpeg-js@^0.4.0:
version "0.4.0"

Always verify the validity and compatibility of suggestions with your codebase.

Details

CVE-2020-8175

moderate severity

Vulnerable versions: < 0.4.0

Patched version: 0.4.0

Uncontrolled resource consumption in jpeg-js before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Poikilos