GHSA-g4m4-9q4c-mfw6 – fiona

Package

Manager: pip
Name: fiona
Vulnerable Version: >=0 <1.10b2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Fiona affected by CVE-2020-14152 related to madler-zlib ### Summary Vulnerability scan of fiona shows [CVE-2020-14152](https://nvd.nist.gov/vuln/detail/CVE-2020-14152). The vulnerability is in libjpeg, a transitive dependency of fiona (via GDAL and PROJ). ### Details In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption. ### Impact fiona will not open JPEG files and is not vulnerable to attack in that way. fiona might be vulnerable to malformed PROJ grid files using JPEG compression. No such vulnerability or compromise has been demonstrated.

Metadata

Created: 2024-07-16T19:32:22Z
Modified: 2024-08-21T22:30:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-g4m4-9q4c-mfw6/GHSA-g4m4-9q4c-mfw6.json
CWE IDs: ["CWE-400"]
Alternative ID: N/A
Finding: F067
Auto approve: 1