Closed mend-bolt-for-github[bot] closed 11 months ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
CVE-2023-34453 - High Severity Vulnerability
Vulnerable Library - snappy-java-1.1.8.4.jar
snappy-java: A fast compression/decompression library
Library home page: https://github.com/xerial/snappy-java
Path to dependency file: /services/cards-publication/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.1.8.4/66f0d56454509f6e36175f2331572e250e04a6cc/snappy-java-1.1.8.4.jar
Dependency Hierarchy: - spring-kafka-test-3.0.12.jar (Root Library) - kafka-clients-3.4.1.jar - :x: **snappy-java-1.1.8.4.jar** (Vulnerable Library)
Found in HEAD commit: 02e564fdff7e533435a5a00f051178a638cdb3d7
Found in base branch: develop
Vulnerability Details
snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer overflow may occur in versions prior to 1.1.10.1, causing a fatal error. The function `shuffle(int[] input)` in the file `BitShuffle.java` receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function. Since the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a `java.lang.NegativeArraySizeException` exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as `java.lang.ArrayIndexOutOfBoundsException`. The same issue exists also when using the `shuffle` functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue. Version 1.1.10.1 contains a patch for this vulnerability.
Publish Date: 2023-06-15
URL: CVE-2023-34453
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/xerial/snappy-java/security/advisories/GHSA-pqr6-cmr2-h8hf
Release Date: 2023-06-15
Fix Resolution: org.xerial.snappy:snappy-java:1.1.10.1
Step up your Open Source Security Game with Mend here