UBUNTU-CVE-2023-43642

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2023-43642
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-43642.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2023-43642
Related
Published
2023-09-25T20:15:00Z
Modified
2025-01-13T10:24:24Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit 9f8c3cf74 which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.

References

Affected packages

Ubuntu:Pro:14.04:LTS / snappy-java

Package

Name
snappy-java
Purl
pkg:deb/ubuntu/snappy-java@1.0.4.1~dfsg-1?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.4.1~dfsg-1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:16.04:LTS / snappy-java

Package

Name
snappy-java
Purl
pkg:deb/ubuntu/snappy-java@1.1.2.1-2?arch=source&distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.1.7-2
1.1.2-1
1.1.2.1-2

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / snappy-java

Package

Name
snappy-java
Purl
pkg:deb/ubuntu/snappy-java@1.1.4-1?arch=source&distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.4-1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / snappy-java

Package

Name
snappy-java
Purl
pkg:deb/ubuntu/snappy-java@1.1.7.3-1build1?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.7.2-1
1.1.7.3-1
1.1.7.3-1build1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / snappy-java

Package

Name
snappy-java
Purl
pkg:deb/ubuntu/snappy-java@1.1.8.3-1?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.8.3-1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / snappy-java

Package

Name
snappy-java
Purl
pkg:deb/ubuntu/snappy-java@1.1.10.5-2?arch=source&distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.10.5-1build1
1.1.10.5-2

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / snappy-java

Package

Name
snappy-java
Purl
pkg:deb/ubuntu/snappy-java@1.1.10.5-1build1?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.8.3-1
1.1.10.5-1
1.1.10.5-1build1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}