{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-43642", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-20T15:35:38.146Z", "datePublished": "2023-09-25T19:03:49.145Z", "dateUpdated": "2024-09-24T15:26:53.851Z"}, "containers": {"cna": {"title": "Missing upper bound check on chunk length in snappy-java ", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv"}, {"name": "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5", "tags": ["x_refsource_MISC"], "url": "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"}], "affected": [{"vendor": "xerial", "product": "snappy-java", "versions": [{"version": "< 1.1.10.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-25T19:03:49.145Z"}, "descriptions": [{"lang": "en", "value": "snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources."}], "source": {"advisory": "GHSA-55g7-9cwv-5qfv", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:44:43.818Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv"}, {"name": "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-24T15:26:43.352715Z", "id": "CVE-2023-43642", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T15:26:53.851Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-43642", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-20T15:35:38.146Z", "datePublished": "2023-09-25T19:03:49.145Z", "dateUpdated": "2024-09-24T15:26:53.851Z"}, "containers": {"cna": {"title": "Missing upper bound check on chunk length in snappy-java ", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv"}, {"name": "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5", "tags": ["x_refsource_MISC"], "url": "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"}], "affected": [{"vendor": "xerial", "product": "snappy-java", "versions": [{"version": "< 1.1.10.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-25T19:03:49.145Z"}, "descriptions": [{"lang": "en", "value": "snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources."}], "source": {"advisory": "GHSA-55g7-9cwv-5qfv", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:44:43.818Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv"}, {"name": "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-43642", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-24T15:26:43.352715Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T15:26:48.843Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xerial:snappy-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4D939A7-FF7A-4C6D-A2B5-D9D3C9D02023", "versionEndExcluding": "1.1.10.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources."}, {"lang": "es", "value": "snappy-java es una adaptaci\u00f3n Java de snappy, un r\u00e1pido compresor/descompresor de C++ desarrollado por Google. Se descubri\u00f3 que SnappyInputStream era vulnerable a ataques de denegaci\u00f3n de servicio (DoS) al descomprimir datos con un tama\u00f1o de fragmento demasiado grande. Debido a que falta la verificaci\u00f3n del l\u00edmite superior en la longitud del fragmento, puede ocurrir un error fatal irrecuperable. Todas las versiones de snappy-java, incluida la \u00faltima versi\u00f3n 1.1.10.3, son vulnerables a este problema.\nSe introdujo una soluci\u00f3n en el commit `9f8c3cf74` que se incluir\u00e1 en la versi\u00f3n 1.1.10.4.\nSe recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar solo deben aceptar datos comprimidos de fuentes confiables."}], "id": "CVE-2023-43642", "lastModified": "2024-11-21T08:24:31.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-25T20:15:11.723", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"}, {"source": "security-advisories@github.com", "tags": ["Exploit"], "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3527", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Red Hat AMQ Streams 2.7.0", "release_date": "2024-05-30T00:00:00Z"}, {"advisory": "RHSA-2023:7700", "cpe": "cpe:/a:redhat:quarkus:2.13::el8", "package": "org.xerial.snappy/snappy-java:1.1.10.5-redhat-00001", "product_name": "Red Hat build of Quarkus 2.13.9.Final", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:7612", "cpe": "cpe:/a:redhat:quarkus:3.2::el8", "package": "org.xerial.snappy/snappy-java:1.1.10.5-redhat-00001", "product_name": "Red Hat build of Quarkus 3.2.9.Final", "release_date": "2023-11-30T00:00:00Z"}], "bugzilla": {"description": "snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact", "id": "2241722", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241722"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.", "A flaw was found in SnappyInputStream in snappy-java, a data compression library in Java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS)."], "name": "CVE-2023-43642", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "snappy-java", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "snappy-java-all", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "snappy-java-all-repolib", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "snappy-java-all", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "snappy-java-all-repolib", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/metrics-cassandra", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/ose-metrics-cassandra", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Out of support scope", "package_name": "snappy-java", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Out of support scope", "package_name": "snappy-java-debuginfo", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "snappy-java", "product_name": "Red Hat Software Collections"}], "public_date": "2023-09-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-43642\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-43642\nhttps://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv"], "threat_severity": "Moderate", "upstream_fix": "snappy-java 1.1.10.4"}