CVE-2023-43642

Exploit

EPSS 0.07%
Veröffentlicht 25.09.2023 20:15:11
Zuletzt bearbeitet 21.11.2024 08:24:31
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xerial ≫ Snappy-java Version < 1.1.10.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.229

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5

Patch

https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-43642

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-43642

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-43642

EUVD