We would like to inform you about the ImageSharp vulnerability in Pleasanter.
■Overview
We have discovered that some versions of Pleasanter are vulnerable due to the library used by our product Pleasanter. If this vulnerability is exploited, it may lead to a denial of service (DoS) by uploading a malicious image.
The Pleasanter versions affected by this issue are listed below, so please take the measures listed in the countermeasures.
■How to check the affected version
The affected versions are as follows.
・If you are using versions 1.3.48.0 or later up to 1.4.6.3
*This applies to both Community Edition and Enterprise Edition.
*This does not apply to versions 1.2, 1.1, 0.51, 0.50, 0.49 and earlier.
■Vulnerability description
An out-of-bounds write vulnerability was discovered in the ImageSharp gif decoder, which could allow an attacker to cause a crash using a specially crafted gif. This vulnerability could lead to a denial of service.
■Threat posed by the vulnerability
If there is a malicious GIF image file, an attacker can relatively easily cause a denial of service attack.
There is no risk of redirection to external fraudulent sites or information leakage or tampering of data registered in Pleasanter, so the risk of information leakage or tampering is considered low.
For more information, please refer to the GitHub Advisory.
・[GHSA-63p8-c4ww-9cg7]
https://github.com/advisories/GHSA-63p8-c4ww-9cg7
■Countermeasures
・Customers using versions 1.3.48.0 or later up to 1.4.6.3
Please upgrade to the latest version 1.4.6.4 or later (released on July 23, 2024), which has been fixed.
*There is no individual patch available to fix the issue without upgrading.
・Customers using a dedicated environment
We will update the version promptly after adjusting the schedule separately. (Restart is required)
■Update history
2024.7.26 This vulnerability information has been made public.
