Security advisory: IBEXA-SA-2024-003

Vulnerability in image-optimizer dependency
Publication date:
14/05/2024, 11:30

Severity:
Low

Affected versions: Ibexa DXP v4.6.* (ibexa/image-editor)
Resolving versions: Ibexa DXP v4.6.4

The dependency spatie/image-optimizer has a moderate vulnerability in versions lower than 1.7.3, potentially allowing PHAR deserialization. This is registered as CVE-2024-34515. This dependency was used in Ibexa DXP up to v4.6.3, and resolved in v4.6.4. In v4.6.5 the dependency requirement was also upgraded, with the effect of banning the vulnerable versions.
https://github.com/advisories/GHSA-6pjm-hmvf-h4rr 

By default, Ibexa DXP blocks the PHAR filetype from being uploaded, so this vulnerability is unlikely to have been exploitable.
https://doc.ibexa.co/en/latest/infrastructure_and_maintenance/security/security_checklist/#block-upload-of-unwanted-file-types

However, it is always recommended to ensure you don't have packages with known vulnerabilities installed.


Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories