CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
AI Score
Confidence
High
EPSS
Percentile
9.0%
iq80 Snappy is a compression/decompression library. When uncompressing
certain data, Snappy tries to read outside the bounds of the given byte
arrays. Because Snappy uses the JDK class sun.misc.Unsafe
to speed up
memory access, no additional bounds checks are performed and this has
similar security consequences as out-of-bounds access in C or C++, namely
it can lead to non-deterministic behavior or crash the JVM. iq80 Snappy is
not actively maintained anymore. As quick fix users can upgrade to version
0.5.
Author | Note |
---|---|
mdeslaur | This CVE is for iq80 snappy, which is neither the snappy or the snappy-java package in Ubuntu. |