Alpine: multiple libraw packages: security update to 0.20.0-r0

high Tenable Cloud Security Plugin ID 405250

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user can
inject additional commands into normal webapp query. (CVE-2020-24899)

- libraw 20.0 has a null pointer dereference vulnerability in parse_tiff_ifd in src/metadata/tiff.cpp, which
may result in context-dependent arbitrary code execution. Note: this vulnerability occurs only if you
compile the software in a certain way (CVE-2020-24890)

- In LibRaw, there is an out-of-bounds write vulnerability within the "new_node()" function
(libraw\src\x3f\x3f_utils_patched.cpp) that can be triggered via a crafted X3F file. (CVE-2020-35530)

- In LibRaw, an out-of-bounds read vulnerability exists within the get_huffman_diff() function
(libraw\src\x3f\x3f_utils_patched.cpp) when reading data from an image file. (CVE-2020-35531)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-24890

https://security.alpinelinux.org/vuln/CVE-2020-24899

https://security.alpinelinux.org/vuln/CVE-2020-35530

https://security.alpinelinux.org/vuln/CVE-2020-35531

https://security.alpinelinux.org/vuln/CVE-2020-35532

https://security.alpinelinux.org/vuln/CVE-2020-35533

https://security.alpinelinux.org/vuln/CVE-2020-35534

https://security.alpinelinux.org/vuln/CVE-2020-35535

Plugin Details

Severity: High

ID: 405250

Version: Revision 1.27

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2020-24899

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 9/16/2020

Reference Information

CVE: CVE-2020-24890, CVE-2020-24899, CVE-2020-35530, CVE-2020-35531, CVE-2020-35532, CVE-2020-35533, CVE-2020-35534, CVE-2020-35535