search

Chiencc / asuswrt-gt-ac5300

asuswrt-gt-ac5300
Other
0 stars 0 forks source link

lz4v1.8.3: 2 vulnerabilities (highest severity is: 9.8) - autoclosed #84

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - lz4v1.8.3

Extremely Fast Compression algorithm

Library home page: https://github.com/lz4/lz4.git

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Vulnerable Source Files (2)

/release/src/router/lz4/lib/lz4.c /release/src/router/lz4/lib/lz4.c

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (lz4v1.8.3 version) Remediation Available
CVE-2021-3520 Critical 9.8 lz4v1.8.3 Direct lz4-sys 1.9.4
CVE-2019-17543 High 8.1 lz4v1.8.3 Direct 1.9.2

Details

CVE-2021-3520 ### Vulnerable Library - lz4v1.8.3

Extremely Fast Compression algorithm

Library home page: https://github.com/lz4/lz4.git

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (2)

/release/src/router/lz4/lib/lz4.c /release/src/router/lz4/lib/lz4.c

### Vulnerability Details

There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.

Publish Date: 2021-06-02

URL: CVE-2021-3520

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2022-0051.html

Release Date: 2021-06-02

Fix Resolution: lz4-sys 1.9.4

CVE-2019-17543 ### Vulnerable Library - lz4v1.8.3

Extremely Fast Compression algorithm

Library home page: https://github.com/lz4/lz4.git

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (2)

/release/src/router/lz4/lib/lz4.c /release/src/router/lz4/lib/lz4.c

### Vulnerability Details

LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."

Publish Date: 2019-10-14

URL: CVE-2019-17543

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543

Release Date: 2019-10-14

Fix Resolution: 1.9.2

mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #85

mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #85