CVE-2023-43642

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-43642

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-43642.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-43642

Aliases

GHSA-55g7-9cwv-5qfv

Related

Published

2023-09-25T20:15:11Z

Modified

2024-09-18T03:25:32.828208Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit 9f8c3cf74 which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.

References

Affected packages

Debian:11 / snappy-java

Package

Name: snappy-java
Purl: pkg:deb/debian/snappy-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.8.3-1

1.1.10.5-1

1.1.10.5-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / snappy-java

Package

Name: snappy-java
Purl: pkg:deb/debian/snappy-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.8.3-1

1.1.10.5-1

1.1.10.5-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / snappy-java

Package

Name: snappy-java
Purl: pkg:deb/debian/snappy-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.10.5-1

Affected versions

1.*

1.1.8.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/xerial/snappy-java

Affected ranges

Type: GIT
Repo: https://github.com/xerial/snappy-java
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9f8c3cf74223ed0a8a834134be9c917b9f10ceb5

Affected versions

1.*

1.0.5

1.0.5-M2

1.0.5-M3

1.0.5-M4

1.1.0

1.1.0-M1

1.1.0-M2

1.1.0-M3

1.1.0-M4

1.1.1

1.1.1-M2

1.1.1-M3

1.1.1-M4

1.1.1.2

1.1.1.3

1.1.1.4

1.1.1.5

1.1.1.6

1.1.1.7

1.1.2

1.1.2-M1

1.1.2-RC1

1.1.2-RC2

1.1.2-RC3

1.1.2.5

1.1.3-M1

1.1.3-M2

1.1.4

1.1.4-M1

1.1.4-M2

1.1.4-M3

1.1.7

1.1.7.1

1.1.7.2

1.1.7.3

1.1.7.4

1.1.7.5

1.1.7.6

1.1.7.7

1.1.7.8

1.1.8

1.1.8.1

1.1.8.2

1.1.8.3

1.1.8.4

snappy-java-1.*

snappy-java-1.0.1-rc1

snappy-java-1.0.1-rc2

snappy-java-1.0.1-rc3

snappy-java-1.0.1-rc4

snappy-java-1.0.3

snappy-java-1.0.3-rc1

snappy-java-1.0.3-rc2

snappy-java-1.0.3-rc3

snappy-java-1.0.3-rc4

snappy-java-1.0.3.1

snappy-java-1.0.3.2

snappy-java-1.0.3.3

snappy-java-1.0.4

snappy-java-1.0.4.1

v1.*

v1.1.10.0

v1.1.10.1

v1.1.10.2

v1.1.10.3

v1.1.2-M1

v1.1.9.0

v1.1.9.1