Security Advisory IBEXA-SA-2024-003: Vulnerability in image-optimizer dependency

Publication date: 14/05/2024, 11:30

Severity: Low

Affected versions: Ibexa DXP v4.6.* (ibexa/image-editor)
Resolving versions: Ibexa DXP v4.6.4

The dependency spatie/image-optimizer has a moderate vulnerability in versions lower than 1.7.3, potentially allowing PHAR deserialization. This is registered as CVE-2024-34515. This dependency was used in Ibexa DXP up to v4.6.3, and resolved in v4.6.4. In v4.6.5 the dependency requirement was also upgraded, with the effect of banning the vulnerable versions.
https://github.com/advisories/GHSA-6pjm-hmvf-h4rr

By default, Ibexa DXP blocks the PHAR filetype from being uploaded, so this vulnerability is unlikely to have been exploitable.
https://doc.ibexa.co/en/latest/infrastructure_and_maintenance/security/security_checklist/#block-upload-of-unwanted-file-types

However, it is always recommended to ensure you don't have packages with known vulnerabilities installed.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: IBEXA-SA-2024-003

Vulnerability in image-optimizer dependency