CVE-2023-3635 - OpenCVE

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Squareup	Okio

Configuration 1 [-]

OR	cpe:2.3:a:squareup:okio::::::::
	cpe:2.3:a:squareup:okio::::::::

References

Link	Resource
https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b	Patch
https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/	Exploit Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: JFROG

Published: 2023-07-12T18:34:31.609Z

Updated: 2023-10-03T21:09:06.443Z

Reserved: 2023-07-12T12:46:57.470Z

Link: CVE-2023-3635

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-07-12T19:15:08.983

Modified: 2023-10-25T15:17:42.170

Link: CVE-2023-3635

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-3635", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "state": "PUBLISHED", "assignerShortName": "JFROG", "dateReserved": "2023-07-12T12:46:57.470Z", "datePublished": "2023-07-12T18:34:31.609Z", "dateUpdated": "2023-10-03T21:09:06.443Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://mvnrepository.com", "defaultStatus": "unaffected", "packageName": "com.squareup.okio:okio", "versions": [{"lessThan": "1.0.0", "status": "affected", "version": "0.5.0", "versionType": "maven"}, {"lessThan": "1.17.6", "status": "affected", "version": "1.0.0", "versionType": "maven"}, {"lessThan": "3.0.0", "status": "affected", "version": "2.0.0", "versionType": "maven"}, {"lessThan": "3.4.0", "status": "affected", "version": "3.0.0", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.</p>"}], "value": "GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-195", "description": "CWE-195: Signed to Unsigned Conversion Error", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2023-10-03T21:09:06.443Z"}, "references": [{"url": "https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/"}, {"url": "https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b"}], "source": {"discovery": "EXTERNAL"}, "title": "Okio GzipSource unhandled exception Denial of Service", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squareup:okio:*:*:*:*:*:*:*:*", "matchCriteriaId": "03403B65-FE42-46FB-B8DA-2AAFAD29C5F4", "versionEndExcluding": "1.17.6", "versionStartIncluding": "0.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:squareup:okio:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC8A3FE6-BD81-4D3D-9568-E364F5D35668", "versionEndExcluding": "3.4.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.\n\n"}, {"lang": "es", "value": "GzipSource no maneja una excepci\u00f3n que podr\u00eda surgir al analizar un b\u00fafer gzip malformado. Esto puede conducir a la denegaci\u00f3n de servicio del cliente Okio cuando se maneja un archivo GZIP manipulado, mediante el uso de la clase \"GzipSource\"."}], "id": "CVE-2023-3635", "lastModified": "2023-10-25T15:17:42.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "reefs@jfrog.com", "type": "Secondary"}]}, "published": "2023-07-12T19:15:08.983", "references": [{"source": "reefs@jfrog.com", "tags": ["Patch"], "url": "https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b"}, {"source": "reefs@jfrog.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/"}], "sourceIdentifier": "reefs@jfrog.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-681"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-195"}], "source": "reefs@jfrog.com", "type": "Secondary"}]}