7.5 - CVE-2023-43642

Executive Summary

Informations
Name	CVE-2023-43642	First vendor Publication	2023-09-25
Vendor	Cve	Last vendor Modification	2023-09-26

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Overall CVSS Score	7.5
Base Score	7.5	Environmental Score	7.5
impact SubScore	3.6	Temporal Score	7.5
Exploitabality Sub Score	3.9

Attack Vector	Network	Attack Complexity	Low
Privileges Required	None	User Interaction	None
Scope	Unchanged	Confidentiality Impact	None
Integrity Impact	None	Availability Impact	High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score	N/A	Attack Range	N/A
Cvss Impact Score	N/A	Attack Complexity	N/A
Cvss Expoit Score	N/A	Authentication	N/A
Calculate full CVSS 2.0 Vectors scores

Detail

snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43642

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-770	Allocation of Resources Without Limits or Throttling

CPE : Common Platform Enumeration

Type	Description	Count
Application	Xerial Snappy-Java cpe:2.3:a:xerial:snappy-java::::::::	1

Sources (Detail)

Source	Url
MISC	https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b... https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv