9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
50.2%
Severity: Low
Date : 2021-05-25
CVE-ID : CVE-2021-3520
Package : lz4
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-1889
The package lz4 before version 1:1.9.3-2 is vulnerable to denial of
service.
Upgrade to 1:1.9.3-2.
The problem has been fixed upstream but no release is available yet.
None.
A vulnerability was found in lz4, where a potential memory corruption
due to an integer overflow bug caused one of the memmove arguments to
become negative. Depending on how the library was compiled this will
hit an assert() inside the library and dump core, leaving a 4GB core
file, or it wil go into libc and crash inside the memmove() function.
A crafted lz4 file can lead to an application crash, potentially
creating a large core dump file.
https://bugs.archlinux.org/task/70970
https://bugzilla.redhat.com/show_bug.cgi?id=1954559
https://github.com/lz4/lz4/pull/972
https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7
https://security.archlinux.org/CVE-2021-3520
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
50.2%