Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05cTVqLWptNTMtdjd2cs4AAulM
lz4-sys vulnerable to memory corruption via issue in liblz4
lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to
CVE-2021-3520.
Attackers could craft a payload that triggers an integer overflow upon
decompression, causing an out-of-bounds write.
The flaw has been corrected in version v1.9.4 of liblz4, which is included
in lz4-sys 1.9.4.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cTVqLWptNTMtdjd2cs4AAulM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-9q5j-jm53-v7vr
References:
- https://github.com/lz4/lz4/pull/972
- https://rustsec.org/advisories/RUSTSEC-2022-0051.html
- https://github.com/advisories/GHSA-9q5j-jm53-v7vr
Blast Radius: 33.1
Affected Packages
cargo:lz4-sys
Dependent packages: 17Dependent repositories: 2,386
Downloads: 12,953,344 total
Affected Version Ranges: < 1.9.4
Fixed in: 1.9.4
All affected versions: 1.0.1, 1.0.1, 1.7.5, 1.8.0, 1.8.2, 1.8.3, 1.9.2, 1.9.3
All unaffected versions: 1.9.4