Impact
It is possible for an attacker to use format string parameters within the URL of an IIIF or IIP request in order to potentially read or write to the stack. Potential harm is low and is only possible with a limited number of specific requests.
Patches
Patch available in commit (39557f8) and will be available in release 1.2
Workarounds
It's possible to mitigate using filtering at the web server (eg. Apache, Nginx etc)
References
https://owasp.org/www-community/attacks/Format_string_attack
CVSS 3
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
ChrisAD Analyst
Impact
It is possible for an attacker to use format string parameters within the URL of an IIIF or IIP request in order to potentially read or write to the stack. Potential harm is low and is only possible with a limited number of specific requests.
Patches
Patch available in commit (39557f8) and will be available in release 1.2
Workarounds
It's possible to mitigate using filtering at the web server (eg. Apache, Nginx etc)
References
https://owasp.org/www-community/attacks/Format_string_attack
CVSS 3
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N