You are viewing this page in an unauthorized frame window.

Modified

This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.

Description

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score:

Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363

https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E

https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html

https://security.netapp.com/advisory/ntap-20220210-0012/

https://www.debian.org/security/2023/dsa-5316

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpujul2022.html

JFrog https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E [No types assigned]

JFrog https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E [No types assigned]

JFrog https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E [No types assigned]

JFrog https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E [No types assigned]

JFrog https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E [No types assigned]

JFrog https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E [No types assigned]

JFrog https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E

JFrog https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E

JFrog https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E

JFrog https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E

JFrog https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E

JFrog https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E

OR
     *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
     *cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html No Types Assigned

https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html Mailing List, Third Party Advisory

https://www.debian.org/security/2023/dsa-5316 No Types Assigned

https://www.debian.org/security/2023/dsa-5316 Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory

https://www.debian.org/security/2023/dsa-5316 [No Types Assigned]

https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html [No Types Assigned]

OR
     *cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:* versions from (including) 18.1 up to (including) 18.3
     *cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_di

OR
     *cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:* versions from (including) 18.1 up to (including) 18.3
     *cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_di

https://www.oracle.com/security-alerts/cpuapr2022.html No Types Assigned

https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html No Types Assigned

https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html [No Types Assigned]

https://www.oracle.com/security-alerts/cpuapr2022.html [No Types Assigned]

OR
     *cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

https://security.netapp.com/advisory/ntap-20220210-0012/ No Types Assigned

https://security.netapp.com/advisory/ntap-20220210-0012/ Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory

https://security.netapp.com/advisory/ntap-20220210-0012/ [No Types Assigned]

OR
     *cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:* versions from (including) 18.1 up to (including) 18.3
     *cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
     *cpe:2.3:a:oracle:banking_di

OR
     *cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:* versions up to (excluding) 2.2.4

OR
     *cpe:2.3:a:apache:tinkerpop:3.5.0:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:tinkerpop:3.5.1:*:*:*:*:*:*:*

https://www.oracle.com/security-alerts/cpujan2022.html No Types Assigned

https://www.oracle.com/security-alerts/cpujan2022.html Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html [No Types Assigned]

OR
     *cpe:2.3:a:apache:tinkerpop:3.5.0:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:tinkerpop:3.5.1:*:*:*:*:*:*:*

https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E No Types Assigned

https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E Mailing List, Third Party Advisory

https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E No Types Assigned

https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E Mailing List, Third Party Advisory

https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E No Types Assigned

https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E Mailing List, Third Party Advisory

https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E No Types Assigned

https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E Mailing List, Third Party Advisory

https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E No Types Assigned

https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E Mailing List, Third Party Advisory

https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E No Types Assigned

https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E Mailing List, Third Party Advisory

https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E [No Types Assigned]

https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E [No Types Assigned]

https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E [No Types Assigned]

https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E [No Types Assigned]

https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E [No Types Assigned]

https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E [No Types Assigned]

NIST AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

NIST (AV:N/AC:L/Au:N/C:N/I:N/A:P)

NIST CWE-400

OR
     *cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* versions up to (excluding) 4.1.68

https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363 No Types Assigned

https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363 Third Party Advisory