CVE-2022-25851 (High) detected in jpeg-js-0.4.3.tgz #1725

mend-for-github-com · 2022-06-13T01:01:40Z

CVE-2022-25851 - High Severity Vulnerability

Vulnerable Library - jpeg-js-0.4.3.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.4.3.tgz

Dependency Hierarchy:

jimp-0.14.0.tgz (Root Library)
- types-0.14.0.tgz
  - jpeg-0.14.0.tgz
    - ❌ jpeg-js-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: cba076465f44b6a819e3cff7986ff4cd21a66371

Found in base branch: main

Vulnerability Details

The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.

Publish Date: 2022-06-10

URL: CVE-2022-25851

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-06-10

Fix Resolution: jpeg-js - 0.4.4

kavilla · 2022-06-14T17:21:33Z

$ yarn why jpeg-js
yarn why v1.22.18
[1/4] Why do we have the module "jpeg-js"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "jpeg-js@0.4.3"
info Reasons this module exists
   - "_project_#jimp#@jimp#types#@jimp#jpeg" depends on it
   - Hoisted from "_project_#jimp#@jimp#types#@jimp#jpeg#jpeg-js"
info Disk size without dependencies: "104KB"
info Disk size with unique dependencies: "104KB"
info Disk size with transitive dependencies: "104KB"
info Number of shared dependencies: 0
Done in 0.99s.

Addresses Denial of Service (DoS) issue where a particular piece of input will cause to enter an infinite loop and never return. CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851 Issue Resolved: opensearch-project#1725 Signed-off-by: Kawika Avilla <kavilla414@gmail.com>

Addresses Denial of Service (DoS) issue where a particular piece of input will cause to enter an infinite loop and never return. CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851 Issue Resolved: #1725 Signed-off-by: Kawika Avilla <kavilla414@gmail.com>

Addresses Denial of Service (DoS) issue where a particular piece of input will cause to enter an infinite loop and never return. CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851 Issue Resolved: #1725 Signed-off-by: Kawika Avilla <kavilla414@gmail.com> (cherry picked from commit 2a159e8)

Addresses Denial of Service (DoS) issue where a particular piece of input will cause to enter an infinite loop and never return. CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851 Issue Resolved: #1725 Signed-off-by: Kawika Avilla <kavilla414@gmail.com> (cherry picked from commit 2a159e8) Co-authored-by: Kawika Avilla <kavilla414@gmail.com>

…h-project#1757) Addresses Denial of Service (DoS) issue where a particular piece of input will cause to enter an infinite loop and never return. CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851 Issue Resolved: opensearch-project#1725 Signed-off-by: Kawika Avilla <kavilla414@gmail.com> (cherry picked from commit 2a159e8) Co-authored-by: Kawika Avilla <kavilla414@gmail.com>

Issue Resolve opensearch-project#1725 Backport PR opensearch-project#1753 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

Issue Resolve #1725 Backport PR #1753 Signed-off-by: Anan Zhuang <ananzh@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com>

Issue Resolve #1725 Backport PR #1753 Signed-off-by: Anan Zhuang <ananzh@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit 637d545) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md

Issue Resolve #1725 Backport PR #1753 Signed-off-by: Anan Zhuang <ananzh@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit 637d545) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Jun 13, 2022

kavilla added high severity High severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels Jun 14, 2022

kavilla mentioned this issue Jun 16, 2022

[CVE] Resolve jpeg-js to 0.4.4 #1753

Merged

7 tasks

kavilla linked a pull request Jun 16, 2022 that will close this issue

[CVE] Resolve jpeg-js to 0.4.4 #1753

Merged

7 tasks

kavilla closed this as completed in #1753 Jun 16, 2022

ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023

[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4

a5b9d0b

Issue Resolve opensearch-project#1725 Backport PR opensearch-project#1753 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023

[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4

fc71d28

Issue Resolve opensearch-project#1725 Backport PR opensearch-project#1753 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

ananzh mentioned this issue Mar 30, 2023

[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4 #3741

Merged

8 tasks

ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023

[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4

ba2f9ca

Issue Resolve opensearch-project#1725 Backport PR opensearch-project#1753 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

joshuarrrr added a commit that referenced this issue Apr 17, 2023

[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4 (#3741)

637d545

Issue Resolve #1725 Backport PR #1753 Signed-off-by: Anan Zhuang <ananzh@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2022-25851 (High) detected in jpeg-js-0.4.3.tgz #1725

CVE-2022-25851 (High) detected in jpeg-js-0.4.3.tgz #1725

mend-for-github-com bot commented Jun 13, 2022

kavilla commented Jun 14, 2022

CVE-2022-25851 (High) detected in jpeg-js-0.4.3.tgz #1725

CVE-2022-25851 (High) detected in jpeg-js-0.4.3.tgz #1725

Comments

mend-for-github-com bot commented Jun 13, 2022

CVE-2022-25851 - High Severity Vulnerability

kavilla commented Jun 14, 2022