GoogleOSV:GHSA-MQ29-J5XF-CJWRpyminizip affected by zlib's integer overflow/heap based buffer overflow vulnerability due to vulnerable dependency
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.7 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
46.8%
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.
pyminizip uses version 1.2.11 of zlib’s code.
References
www.openwall.com/lists/oss-security/2023/10/20/9
www.openwall.com/lists/oss-security/2024/01/24/10
chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356
chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61
github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4
github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c
github.com/madler/zlib/pull/843
github.com/smihica/pyminizip
github.com/smihica/pyminizip/blob/master/zlib-1.2.11/contrib/minizip/zip.c
lists.debian.org/debian-lts-announce/2023/11/msg00026.html
nvd.nist.gov/vuln/detail/CVE-2023-45853
pypi.org/project/pyminizip/#history
security.gentoo.org/glsa/202401-18
security.netapp.com/advisory/ntap-20231130-0009
www.winimage.com/zLibDll/minizip.html
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.7 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
46.8%