x/vulndb: potential Go vuln in github.com/disintegration/imaging: CVE-2023-36308

[GoVulnBot]

CVE-2023-36308 references github.com/disintegration/imaging, which may be a Go module.

Description:
** DISPUTED ** disintegration Imaging 1.6.2 allows attackers to cause a panic (because of an integer index out of range during a Grayscale call) via a crafted TIFF file to the scan function of scanner.go. NOTE: it is unclear whether there are common use cases in which this panic could have any security consequence

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-36308
• JSON: https://github.com/CVEProject/cvelist/tree/4210dd94226ffaec99c43b00cf873641ca4faf39/2023/36xxx/CVE-2023-36308.json
• web: https://github.com/disintegration/imaging/releases/tag/v1.6.2
• report: Specific image will cause the index of the scan function in scanner.go to go out of bounds disintegration/imaging#165
• Imported by: https://pkg.go.dev/github.com/disintegration/imaging?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/disintegration/imaging
      vulnerable_at: 1.6.2
      packages:
        - package: n/a
description: |-
    ** DISPUTED ** disintegration Imaging 1.6.2 allows attackers to cause a panic
    (because of an integer index out of range during a Grayscale call) via a crafted
    TIFF file to the scan function of scanner.go. NOTE: it is unclear whether there
    are common use cases in which this panic could have any security consequence
cves:
    - CVE-2023-36308
references:
    - web: https://github.com/disintegration/imaging/releases/tag/v1.6.2
    - report: https://github.com/disintegration/imaging/issues/165

[timothy-king]

Duplicate of #1929

[gopherbot]

Change https://go.dev/cl/527375 mentions this issue: data/excluded: batch add 1 excluded reports