Skip to content

Bundled libwebp in pywebp vulnerable

High severity GitHub Reviewed Published Oct 6, 2023 in anibali/pywebp • Updated Oct 6, 2023

Package

pip webp (pip)

Affected versions

< 0.3.0

Patched versions

0.3.0

Description

Impact

pywebp versions before v0.3.0 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. The vulnerability was a heap buffer overflow which allowed a remote attacker to perform an out of bounds memory write.

Patches

The problem has been patched upstream in libwebp 1.3.2.
pywebp was updated to bundle a patched version of libwebp in v0.3.0.

Workarounds

No known workarounds without upgrading.

References

References

@anibali anibali published to anibali/pywebp Oct 6, 2023
Published to the GitHub Advisory Database Oct 6, 2023
Reviewed Oct 6, 2023
Last updated Oct 6, 2023

Severity

High
8.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-f9pm-4g9p-6vm3

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.