GMS-2023-3131: Bundled libwebp in imagecodecs vulnerable

October 5, 2023

imagecodecs versions before v2023.9.18 bundled libwebp binaries in wheels that is vulnerable to CVE-2023-5129 (previously CVE-2023-4863). imagecodecs v2023.9.18 upgrades the bundled libwebp binary to v1.3.2.

References

github.com/advisories/GHSA-94vc-p8w7-5p49
github.com/cgohlke/imagecodecs/blob/v2023.9.18/CHANGES.rst
github.com/pypa/advisory-database/tree/main/vulns/imagecodecs/PYSEC-2023-174.yaml
nvd.nist.gov/vuln/detail/CVE-2023-4863
nvd.nist.gov/vuln/detail/CVE-2023-5129

Detect and mitigate GMS-2023-3131 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →