Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-30548 (Medium) detected in gatsby-plugin-sharp-2.0.32.tgz #333

Open
mend-bolt-for-github bot opened this issue Apr 19, 2023 · 0 comments
Open

CVE-2023-30548 (Medium) detected in gatsby-plugin-sharp-2.0.32.tgz #333

mend-bolt-for-github bot opened this issue Apr 19, 2023 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-bolt-for-github
Copy link

CVE-2023-30548 - Medium Severity Vulnerability

Vulnerable Library - gatsby-plugin-sharp-2.0.32.tgz

Wrapper of the Sharp image manipulation library for Gatsby plugins

Library home page: https://registry.npmjs.org/gatsby-plugin-sharp/-/gatsby-plugin-sharp-2.0.32.tgz

Path to dependency file: /site-landing/package.json

Path to vulnerable library: /node_modules/gatsby-plugin-sharp/package.json

Dependency Hierarchy:

  • gatsby-plugin-sharp-2.0.32.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

gatsby-plugin-sharp is a plugin for the gatsby framework which exposes functions built on the Sharp image processing library. The gatsby-plugin-sharp plugin prior to versions 5.8.1 and 4.25.1 contains a path traversal vulnerability exposed when running the Gatsby develop server (gatsby develop). It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable. Attackers exploiting this vulnerability will have read access to all files within the scope of the server process. A patch has been introduced in gatsby-plugin-sharp@5.8.1 and gatsby-plugin-sharp@4.25.1 which mitigates the issue by ensuring that included paths remain within the project directory. As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability. Users are non the less encouraged to upgrade to a safe version.

Publish Date: 2023-04-17

URL: CVE-2023-30548

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: gatsby-plugin-sharp

Release Date: 2023-04-17

Fix Resolution: 4.25.1

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Apr 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants