libjpeg is not used (#2588) (#2589)

github-actions[bot] · mattleibow · web-flow · commit e9612b410e2c · 2023-08-28T16:04:17.000+02:00
(cherry picked from commit b608de5) Co-authored-by: Matthew Leibowitz <mattleibow@live.com>
diff --git a/scripts/guardian/cve-triage.json b/scripts/guardian/cve-triage.json
@@ -3,6 +3,44 @@
   "specVersion": "1.4",
   "version": 1,
   "vulnerabilities": [
+    {
+      "id": "CVE-2020-14152",
+      "source": {
+        "name": "NVD",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14152"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "NVD",
+            "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2020-14152&vector=AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H&version=3.1"
+          },
+          "score": 7.1,
+          "severity": "high",
+          "method": "CVSSv31",
+          "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"
+        }
+      ],
+      "description": "In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption.",
+      "recommendation": "",
+      "advisories": [],
+      "created": "NOT_KNOWN",
+      "published": "NOT_KNOWN",
+      "updated": "",
+      "analysis": {
+        "state": "not_affected",
+        "justification": "code_not_present",
+        "response": [
+          "will_not_fix"
+        ],
+        "detail": "libjpeg is not used and the real dependency is libjpeg-turbo which never had this issue: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/500#issuecomment-772625597."
+      },
+      "affects": [
+        {
+          "ref": "urn:cbt:1/icu-project#international_components_for_unicode-1.8.1"
+        }
+      ]
+    },
     {
       "id": "CVE-2007-4770",
       "source": {
