5.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): NONE
- Availability impact (A): LOW
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
4 packages
- perlPackages.FileType
- perl5Packages.FileType
- perl538Packages.FileType
- perl540Packages.FileType
- @LeSuisse dismissed
file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry
file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.
References
Affected products
- ==>= 20.0.0, < 21.3.2
Ignored packages (4)
pkgs.perlPackages.FileType
Uses magic numbers (typically at the start of a file) to determine the MIME type of that file
pkgs.perl5Packages.FileType
Uses magic numbers (typically at the start of a file) to determine the MIME type of that file
pkgs.perl538Packages.FileType
Uses magic numbers (typically at the start of a file) to determine the MIME type of that file
pkgs.perl540Packages.FileType
Uses magic numbers (typically at the start of a file) to determine the MIME type of that file