Path to dependency file: /foxtrot-translator/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/xerial/snappy/snappy-java/1.0.4.1/snappy-java-1.0.4.1.jar,/home/wss-scanner/.m2/repository/org/xerial/snappy/snappy-java/1.0.4.1/snappy-java-1.0.4.1.jar,/home/wss-scanner/.m2/repository/org/xerial/snappy/snappy-java/1.0.4.1/snappy-java-1.0.4.1.jar,/home/wss-scanner/.m2/repository/org/xerial/snappy/snappy-java/1.0.4.1/snappy-java-1.0.4.1.jar
snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.
CVE-2023-43642 - High Severity Vulnerability
snappy-java: A fast compression/decompression library
Library home page: http://code.google.com/p/snappy-java/
Path to dependency file: /foxtrot-translator/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/xerial/snappy/snappy-java/1.0.4.1/snappy-java-1.0.4.1.jar,/home/wss-scanner/.m2/repository/org/xerial/snappy/snappy-java/1.0.4.1/snappy-java-1.0.4.1.jar,/home/wss-scanner/.m2/repository/org/xerial/snappy/snappy-java/1.0.4.1/snappy-java-1.0.4.1.jar,/home/wss-scanner/.m2/repository/org/xerial/snappy/snappy-java/1.0.4.1/snappy-java-1.0.4.1.jar
Dependency Hierarchy: - hbase-server-1.2.1.jar (Root Library) - hbase-common-1.2.1.jar - hadoop-common-2.5.1.jar - avro-1.7.4.jar - :x: **snappy-java-1.0.4.1.jar** (Vulnerable Library)
Found in HEAD commit: ffb8a6014463ce8aac1bf6e7dc9a23fc4a2a8adc
Found in base branch: master
snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.
Publish Date: 2023-09-25
URL: CVE-2023-43642
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv
Release Date: 2023-09-25
Fix Resolution (org.xerial.snappy:snappy-java): 1.1.10.4
Direct dependency fix Resolution (org.apache.hbase:hbase-server): 1.2.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.