Denial of Service (DoS) Affecting gimp package, versions [1.3.20, 2.10.32) 0.0 high 0 10 CVSS assessment by Snyk's Security Team. Learn more Threat Intelligence EPSS The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details. 0.12% (31 st percentile) Do your applications use this vulnerable package? In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes. Test your applications Snyk Learn Learn about Denial of Service (DoS) vulnerabilities in an interactive lesson. Start learning Snyk ID SNYK-UNMANAGED-GIMP-2935921 published 26 Jun 2022 disclosed 26 Jun 2022 credit Mask6asok Report a new vulnerability Found a mistake? Introduced: 26 Jun 2022 CVE-2022-32990 (opens in a new tab) Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities CWE-400 (opens in a new tab) Common Weakness Enumeration (CWE) is a category system for software weaknesses How to fix? Upgrade gimp to version 2.10.32 or higher. Overview Affected versions of this package are vulnerable to Denial of Service (DoS) in gimp_layer_invalidate_boundary , via a crafted XCF file. Details Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users. Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime. One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines. When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries. Two common types of DoS vulnerabilities: High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload . Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package References GitHub Commit GitLab Issue CVSS Base Scores version 3.1 Attack Vector (AV) The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). Network Attack Complexity (AC) Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component. Low Privileges Required (PR) The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. None User Interaction (UI) The vulnerable system can be exploited without interaction from any user. None Scope (S) An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority. Unchanged Confidentiality (C) There is no loss of confidentiality within the impacted component. None Integrity (I) There is no loss of integrity within the impacted component. None Availability (A) There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). High