Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-25851 (High) detected in jpeg-js-0.4.3.tgz #1725

Closed
mend-for-github-com bot opened this issue Jun 13, 2022 · 1 comment · Fixed by #1753
Closed

CVE-2022-25851 (High) detected in jpeg-js-0.4.3.tgz #1725

mend-for-github-com bot opened this issue Jun 13, 2022 · 1 comment · Fixed by #1753
Labels
cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link

CVE-2022-25851 - High Severity Vulnerability

Vulnerable Library - jpeg-js-0.4.3.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.4.3.tgz

Dependency Hierarchy:

  • jimp-0.14.0.tgz (Root Library)
    • types-0.14.0.tgz
      • jpeg-0.14.0.tgz
        • jpeg-js-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: cba076465f44b6a819e3cff7986ff4cd21a66371

Found in base branch: main

Vulnerability Details

The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.

Publish Date: 2022-06-10

URL: CVE-2022-25851

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-06-10

Fix Resolution: jpeg-js - 0.4.4
@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Jun 13, 2022
@kavilla
Copy link
Member

kavilla commented Jun 14, 2022 

$ yarn why jpeg-js
yarn why v1.22.18
[1/4] Why do we have the module "jpeg-js"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "_project_#jimp#@jimp#types#@jimp#jpeg" depends on it
   - Hoisted from "_project_#jimp#@jimp#types#@jimp#jpeg#jpeg-js"
info Disk size without dependencies: "104KB"
info Disk size with unique dependencies: "104KB"
info Disk size with transitive dependencies: "104KB"
info Number of shared dependencies: 0
Done in 0.99s.

@kavilla kavilla added high severity High severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels Jun 14, 2022
kavilla added a commit to kavilla/OpenSearch-Dashboards-1 that referenced this issue Jun 16, 2022
@kavilla
[CVE] Resolve jpeg-js to 0.4.4
b09a23e 
Addresses Denial of Service (DoS) issue where a particular piece of input
will cause to enter an infinite loop and never return.

CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851

Issue Resolved:
opensearch-project#1725

Signed-off-by: Kawika Avilla <[email protected]>
@kavilla kavilla mentioned this issue Jun 16, 2022
Merged
7 tasks
@kavilla kavilla linked a pull request Jun 16, 2022 that will close this issue
[CVE] Resolve jpeg-js to 0.4.4 #1753
Merged
7 tasks
kavilla added a commit that referenced this issue Jun 16, 2022
@kavilla
[CVE] Resolve jpeg-js to 0.4.4 (#1753)
2a159e8 
Addresses Denial of Service (DoS) issue where a particular piece of input
will cause to enter an infinite loop and never return.

CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851

Issue Resolved:
#1725

Signed-off-by: Kawika Avilla <[email protected]>
opensearch-trigger-bot bot pushed a commit that referenced this issue Jun 16, 2022
@kavilla @github-actions
[CVE] Resolve jpeg-js to 0.4.4 (#1753)
5786aff 
Addresses Denial of Service (DoS) issue where a particular piece of input
will cause to enter an infinite loop and never return.

CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851

Issue Resolved:
#1725

Signed-off-by: Kawika Avilla <[email protected]>
(cherry picked from commit 2a159e8)
ananzh pushed a commit that referenced this issue Jun 17, 2022
@opensearch-trigger-bot @kavilla
[CVE] Resolve jpeg-js to 0.4.4 (#1753) (#1757)
25e6835 
Addresses Denial of Service (DoS) issue where a particular piece of input
will cause to enter an infinite loop and never return.

CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851

Issue Resolved:
#1725

Signed-off-by: Kawika Avilla <[email protected]>
(cherry picked from commit 2a159e8)

Co-authored-by: Kawika Avilla <[email protected]>
cliu123 pushed a commit to cliu123/OpenSearch-Dashboards that referenced this issue Jun 30, 2022
@opensearch-trigger-bot @kavilla
[CVE] Resolve jpeg-js to 0.4.4 (opensearch-project#1753) (opensearc…
00463c0 
…h-project#1757)

Addresses Denial of Service (DoS) issue where a particular piece of input
will cause to enter an infinite loop and never return.

CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851

Issue Resolved:
opensearch-project#1725

Signed-off-by: Kawika Avilla <[email protected]>
(cherry picked from commit 2a159e8)

Co-authored-by: Kawika Avilla <[email protected]>
cliu123 pushed a commit to cliu123/OpenSearch-Dashboards that referenced this issue Jun 30, 2022
@opensearch-trigger-bot @kavilla
[CVE] Resolve jpeg-js to 0.4.4 (opensearch-project#1753) (opensearc…
d70392c 
…h-project#1757)

Addresses Denial of Service (DoS) issue where a particular piece of input
will cause to enter an infinite loop and never return.

CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851

Issue Resolved:
opensearch-project#1725

Signed-off-by: Kawika Avilla <[email protected]>
(cherry picked from commit 2a159e8)

Co-authored-by: Kawika Avilla <[email protected]>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023
@ananzh
[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4
a5b9d0b 
Issue Resolve
opensearch-project#1725

Backport PR
opensearch-project#1753

Signed-off-by: Anan Zhuang <[email protected]>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023
@ananzh
[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4
fc71d28 
Issue Resolve
opensearch-project#1725

Backport PR
opensearch-project#1753

Signed-off-by: Anan Zhuang <[email protected]>
@ananzh ananzh mentioned this issue Mar 30, 2023
Merged
8 tasks
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023
@ananzh
[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4
ba2f9ca 
Issue Resolve
opensearch-project#1725

Backport PR
opensearch-project#1753

Signed-off-by: Anan Zhuang <[email protected]>
joshuarrrr added a commit that referenced this issue Apr 17, 2023
@ananzh @joshuarrrr
[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4 (#3741)
637d545 
Issue Resolve
#1725

Backport PR
#1753

Signed-off-by: Anan Zhuang <[email protected]>
Co-authored-by: Josh Romero <[email protected]>
opensearch-trigger-bot bot pushed a commit that referenced this issue Apr 17, 2023
@github-actions
[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4 (#3741)
698dd85 
Issue Resolve
#1725

Backport PR
#1753

Signed-off-by: Anan Zhuang <[email protected]>
Co-authored-by: Josh Romero <[email protected]>
(cherry picked from commit 637d545)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
abbyhu2000 pushed a commit that referenced this issue Apr 17, 2023
@opensearch-trigger-bot @github-actions
[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4 (#3741) (#3860)
dc8f59c 
Issue Resolve
#1725

Backport PR
#1753

Signed-off-by: Anan Zhuang <[email protected]>
Co-authored-by: Josh Romero <[email protected]>
(cherry picked from commit 637d545)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[CVE] Resolve jpeg-js to 0.4.4 kavilla/OpenSearch-Dashboards-1
1 participant
@kavilla