snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.
CVE-2023-43642 - High Severity Vulnerability
snappy-java-1.0.4.1.jar
snappy-java: A fast compression/decompression library
Library home page: http://www.xerial.org/
Path to dependency file: /tensorflow/java/maven/tensorflow-hadoop/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/xerial/snappy/snappy-java/1.0.4.1/snappy-java-1.0.4.1.jar
Dependency Hierarchy: - hadoop-common-2.6.0.jar (Root Library) - avro-1.7.4.jar - :x: **snappy-java-1.0.4.1.jar** (Vulnerable Library)
snappy-java-1.1.2.6.jar
snappy-java: A fast compression/decompression library
Library home page: https://github.com/xerial/snappy-java
Path to dependency file: /tensorflow/java/maven/spark-tensorflow-connector/pom.xml
Path to vulnerable library: /tmp/ws-ua_20211122053754_TJIUSD/downloadResource_VHVETE/20211122053839/snappy-java-1.1.2.6.jar
Dependency Hierarchy: - tensorflow-hadoop-1.15.0.jar (Root Library) - hadoop-common-2.6.0.jar - avro-1.8.2.jar - :x: **snappy-java-1.1.2.6.jar** (Vulnerable Library)
Found in base branch: master
snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.
Publish Date: 2023-09-25
URL: CVE-2023-43642
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv
Release Date: 2023-09-25
Fix Resolution (org.xerial.snappy:snappy-java): 1.1.10.4
Direct dependency fix Resolution (org.apache.hadoop:hadoop-common): 2.6.1
Step up your Open Source Security Game with Mend here