Miggo Logo

GHSA-jh2j-j4j9-crg3: opencv-python-headless bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863

8.8

CVSS Score
3.1

Basic Information

CVE ID
-
EPSS Score
-
Published
8/30/2024
Updated
8/30/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
opencv-python-headlesspip>= 0, < 4.8.1.784.8.1.78

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from libwebp's Huffman table construction. Multiple sources including CVE-2023-4863 description, libwebp's fix commit 902bc9190331343b2017211debcec8d2ab87e17a, and Chromium's bug report all point to BuildHuffmanTable as the vulnerable function. OpenCV's patch upgrades libwebp to 1.3.2 which contains the fix for this specific function. The file path is derived from libwebp's source structure within OpenCV's 3rdparty directory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

op*n*v-pyt*on-****l*ss v*rsions ***or* v*.*.*.** *un*l** li*w**p *in*ri*s in w***ls t**t *r* vuln*r**l* to *V*-****-****. op*n*v-pyt*on-****l*ss v*.*.*.** up*r***s t** *un*l** li*w**p *in*ry to v*.*.*.

Reasoning

T** vuln*r**ility st*ms *rom li*w**p's *u**m*n t**l* *onstru*tion. Multipl* sour**s in*lu*in* *V*-****-**** **s*ription, li*w**p's *ix *ommit ****************************************, *n* **romium's *u* r*port *ll point to `*uil**u**m*nT**l*` *s t**
GHSA-jh2j-j4j9-crg3: OpenCV Py Headless libwebp RCE | Miggo