{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3635", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "state": "PUBLISHED", "assignerShortName": "JFROG", "dateReserved": "2023-07-12T12:46:57.470Z", "datePublished": "2023-07-12T18:34:31.609Z", "dateUpdated": "2024-10-23T13:32:52.994Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://mvnrepository.com", "defaultStatus": "unaffected", "packageName": "com.squareup.okio:okio", "versions": [{"lessThan": "1.0.0", "status": "affected", "version": "0.5.0", "versionType": "maven"}, {"lessThan": "1.17.6", "status": "affected", "version": "1.0.0", "versionType": "maven"}, {"lessThan": "3.0.0", "status": "affected", "version": "2.0.0", "versionType": "maven"}, {"lessThan": "3.4.0", "status": "affected", "version": "3.0.0", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.</p>"}], "value": "GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-195", "description": "CWE-195: Signed to Unsigned Conversion Error", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2023-10-03T21:09:06.443Z"}, "references": [{"url": "https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/"}, {"url": "https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b"}], "source": {"discovery": "EXTERNAL"}, "title": "Okio GzipSource unhandled exception Denial of Service", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:01:57.503Z"}, "title": "CVE Program Container", "references": [{"url": "https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/", "tags": ["x_transferred"]}, {"url": "https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-22T17:26:23.899148Z", "id": "CVE-2023-3635", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T13:32:52.994Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/", "tags": ["x_transferred"]}, {"url": "https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:01:57.503Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3635", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T17:26:23.899148Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T13:32:48.708Z"}}], "cna": {"title": "Okio GzipSource unhandled exception Denial of Service", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"versions": [{"status": "affected", "version": "0.5.0", "lessThan": "1.0.0", "versionType": "maven"}, {"status": "affected", "version": "1.0.0", "lessThan": "1.17.6", "versionType": "maven"}, {"status": "affected", "version": "2.0.0", "lessThan": "3.0.0", "versionType": "maven"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.4.0", "versionType": "maven"}], "packageName": "com.squareup.okio:okio", "collectionURL": "https://mvnrepository.com", "defaultStatus": "unaffected"}], "references": [{"url": "https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/"}, {"url": "https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-195", "description": "CWE-195: Signed to Unsigned Conversion Error"}]}], "providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2023-10-03T21:09:06.443Z"}}}, "cveMetadata": {"cveId": "CVE-2023-3635", "state": "PUBLISHED", "dateUpdated": "2024-10-23T13:32:52.994Z", "dateReserved": "2023-07-12T12:46:57.470Z", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "datePublished": "2023-07-12T18:34:31.609Z", "assignerShortName": "JFROG"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squareup:okio:*:*:*:*:*:*:*:*", "matchCriteriaId": "03403B65-FE42-46FB-B8DA-2AAFAD29C5F4", "versionEndExcluding": "1.17.6", "versionStartIncluding": "0.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:squareup:okio:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC8A3FE6-BD81-4D3D-9568-E364F5D35668", "versionEndExcluding": "3.4.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.\n\n"}, {"lang": "es", "value": "GzipSource no maneja una excepci\u00f3n que podr\u00eda surgir al analizar un b\u00fafer gzip malformado. Esto puede conducir a la denegaci\u00f3n de servicio del cliente Okio cuando se maneja un archivo GZIP manipulado, mediante el uso de la clase \"GzipSource\"."}], "id": "CVE-2023-3635", "lastModified": "2023-10-25T15:17:42.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "reefs@jfrog.com", "type": "Secondary"}]}, "published": "2023-07-12T19:15:08.983", "references": [{"source": "reefs@jfrog.com", "tags": ["Patch"], "url": "https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b"}, {"source": "reefs@jfrog.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/"}], "sourceIdentifier": "reefs@jfrog.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-681"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-195"}], "source": "reefs@jfrog.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:5165", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Red Hat AMQ Streams 2.5.0", "release_date": "2023-09-14T00:00:00Z"}, {"advisory": "RHSA-2023:7247", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "okio", "product_name": "Red Hat Fuse 7.12.1", "release_date": "2023-11-15T00:00:00Z"}, {"advisory": "RHSA-2024:3385", "cpe": "cpe:/a:redhat:jbosseapxp", "impact": "moderate", "package": "okio", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "release_date": "2024-05-28T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/code-rhel8:3.16-20", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/configbump-rhel8:3.16-4", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/dashboard-rhel8:3.16-27", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/devfileregistry-rhel8:3.16-67", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/devspaces-operator-bundle:3.16-70", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/devspaces-rhel8-operator:3.16-11", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/idea-rhel8:3.16-3", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/imagepuller-rhel8:3.16-3", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/machineexec-rhel8:3.16-6", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/pluginregistry-rhel8:3.16-16", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/server-rhel8:3.16-14", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/traefik-rhel8:3.16-2", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:6667", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "package": "devspaces/udi-rhel8:3.16-6", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:1353", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package": "okio", "product_name": "RHPAM 7.13.5 async", "release_date": "2024-03-18T00:00:00Z"}], "bugzilla": {"description": "okio: GzipSource class improper exception handling", "id": "2229295", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229295"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-248", "details": ["GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.", "A flaw was found in SquareUp Okio. A class GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This issue may allow a malicious user to start processing a malformed file, which can result in a Denial of Service (DoS)."], "name": "CVE-2023-3635", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Not affected", "package_name": "okio", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "okio", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Out of support scope", "package_name": "okio", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "impact": "low", "package_name": "okio", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Out of support scope", "package_name": "okio", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "okio", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "okio", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "okio", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/metrics-hawkular-metrics", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/ose-logging-elasticsearch5", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/ose-metrics-hawkular-metrics", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "hadoop-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-hive", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-presto", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Will not fix", "package_name": "okio", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Will not fix", "impact": "low", "package_name": "okio", "product_name": "Red Hat support for Spring Boot"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "okio", "product_name": "streams for Apache Kafka"}], "public_date": "2023-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-3635\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3635"], "statement": "Red Hat JBoss Enterprise Application Platform XP does contain Okio package but is not using GzipSource.java, which is the affected class.\nRed Hat support for Spring Boot is considered low impact as it's used by Dekorate during compilation process and not included in the resulting Jar.", "threat_severity": "Important", "upstream_fix": "okio 3.4.0, okio 3.5.0"}