7.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-g4m4-9q4c-mfw6

EPSS Score

CWE

CWE-400

Published

7/16/2024

Updated

8/21/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-g4m4-9q4c-mfw6

GHSA-g4m4-9q4c-mfw6:
Fiona affected by CVE-2020-14152 related to madler-zlib

Summary

Vulnerability scan of fiona shows CVE-2020-14152. The vulnerability is in libjpeg, a transitive dependency of fiona (via GDAL and PROJ).

Details

In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption.

Impact

fiona will not open JPEG files and is not vulnerable to attack in that way. fiona might be vulnerable to malformed PROJ grid files using JPEG compression. No such vulnerability or compromise has been demonstrated.

(GitHub Advisory)

7.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-g4m4-9q4c-mfw6

EPSS Score

CWE

CWE-400

Published

7/16/2024

Updated

8/21/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fiona	pip	< 1.10b2	1.10b2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability CVE-2020-14152 specifically identifies jpeg_mem_available() in jmemnobs.c as the problematic function. Analysis of libjpeg-turbo's commit da2a27e shows this function was modified to properly handle max_memory_to_use, confirming the original implementation lacked proper memory limit enforcement. While Fiona itself doesn't directly contain vulnerable code, its dependency chain (GDAL/PROJ/libjpeg) exposes this function. The high confidence comes from direct CVE attribution, commit evidence, and the function's central role in memory management described in vulnerability details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry Vuln*r**ility s**n o* *ion* s*ows [*V*-****-*****](*ttps://nv*.nist.*ov/vuln/**t*il/*V*-****-*****). T** vuln*r**ility is in li*jp**, * tr*nsitiv* **p*n**n*y o* *ion* (vi* ***L *n* PROJ). ### **t*ils In IJ* JP** (*k* li*jp**) ***or* **,

Reasoning

T** vuln*r**ility *V*-****-***** sp**i*i**lly i**nti*i*s jp**_m*m_*v*il**l*() in jm*mno*s.* *s t** pro*l*m*ti* *un*tion. *n*lysis o* li*jp**-tur*o's *ommit ******* s*ows t*is *un*tion w*s mo*i*i** to prop*rly **n*l* m*x_m*mory_to_us*, *on*irmin* t**

7.1

Basic Information

Concerned about an active attack path?

GHSA-g4m4-9q4c-mfw6: Fiona affected by CVE-2020-14152 related to madler-zlib

Summary

Details

Impact

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-g4m4-9q4c-mfw6:
Fiona affected by CVE-2020-14152 related to madler-zlib

Vulnerability Intelligence
Miggo AI