CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
21.7%
snappy-java is a Java port of the snappy, a fast C++
compresser/decompresser developed by Google. The SnappyInputStream was
found to be vulnerable to Denial of Service (DoS) attacks when
decompressing data with a too large chunk size. Due to missing upper bound
check on chunk length, an unrecoverable fatal error can occur. All versions
of snappy-java including the latest released version 1.1.10.3 are
vulnerable to this issue. A fix has been introduced in commit 9f8c3cf74
which will be included in the 1.1.10.4 release. Users are advised to
upgrade. Users unable to upgrade should only accept compressed data from
trusted sources.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | snappy-java | < any | UNKNOWN |
ubuntu | 20.04 | noarch | snappy-java | < any | UNKNOWN |
ubuntu | 22.04 | noarch | snappy-java | < any | UNKNOWN |
ubuntu | 24.04 | noarch | snappy-java | < any | UNKNOWN |
ubuntu | 14.04 | noarch | snappy-java | < any | UNKNOWN |
ubuntu | 16.04 | noarch | snappy-java | < any | UNKNOWN |
github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5
github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv
launchpad.net/bugs/cve/CVE-2023-43642
nvd.nist.gov/vuln/detail/CVE-2023-43642
security-tracker.debian.org/tracker/CVE-2023-43642
www.cve.org/CVERecord?id=CVE-2023-43642