[GHSA-54xq-cgqr-rpm3] sharp vulnerability in libwebp dependency CVE-2023-4863

advisories/github-reviewed/2023/11/GHSA-54xq-cgqr-rpm3/GHSA-54xq-cgqr-rpm3.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-54xq-cgqr-rpm3",
-  "modified": "2023-11-16T17:14:15Z",
+  "modified": "2023-11-16T17:14:17Z",
   "published": "2023-11-16T17:14:15Z",
-  "aliases": [],
+  "aliases": [
+
+  ],
   "summary": "sharp vulnerability in libwebp dependency CVE-2023-4863",
   "details": "## Overview\n\nsharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity https://github.com/advisories/GHSA-j7hp-h8jx-5ppr.\n\n## Who does this affect?\n\nAlmost anyone processing untrusted input with versions of sharp prior to 0.32.6.\n\n## How to resolve this?\n\n### Using prebuilt binaries provided by sharp?\n\nMost people rely on the prebuilt binaries provided by sharp.\n\nPlease upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.\n\n### Using a globally-installed libvips?\n\nPlease ensure you are using the latest libwebp 1.3.2.\n\n## Possible workaround\n\nAdd the following to your code to prevent sharp from decoding WebP images.\n```js\nsharp.block({ operation: [\"VipsForeignLoadWebp\"] });\n```",
   "severity": [
@@ -24,13 +26,13 @@
           "events": [
             {
               "introduced": "0"
-            },
-            {
-              "fixed": "0.32.6"
             }
           ]
         }
-      ]
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 0.32.6"
+      }
     }
   ],
   "references": [
@@ -48,7 +50,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+
+    ],
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2023-11-16T17:14:15Z",