CVE-2022-29256
Last modified
CVE-2022-29256 is a medium-severity vulnerability rated 6.7/10 on the CVSS scale. sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. EPSS estimates a 0.37% chance of exploitation in the next 30 days.
Description
sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5.
Metrics
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Sharp Project | Sharp | < 0.30.5 |
References
- https://github.com/lovell/sharp/commit/a6aeef612be50f5868a77481848b1de674216f0cPatch, Third Party Advisory
- https://github.com/lovell/sharp/security/advisories/GHSA-gp95-ppv5-3jc5Patch, Third Party Advisory
- https://github.com/lovell/sharp/commit/a6aeef612be50f5868a77481848b1de674216f0cPatch, Third Party Advisory
- https://github.com/lovell/sharp/security/advisories/GHSA-gp95-ppv5-3jc5Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-29256?
How severe is CVE-2022-29256?
How do I fix CVE-2022-29256?
Are you affected by CVE-2022-29256?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST