lz4-sys vulnerable to memory corruption via issue in liblz4 · GHSA-9q5j-jm53-v7vr · GitHub Advisory Database · GitHub

lz4-sys vulnerable to memory corruption via issue in liblz4

Critical severity GitHub Reviewed Published Sep 1, 2022 to the GitHub Advisory Database • Updated Jan 7, 2023

Package

lz4-sys (Rust)

Affected versions

< 1.9.4

Patched versions

1.9.4

Description

lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to
CVE-2021-3520.

Attackers could craft a payload that triggers an integer overflow upon
decompression, causing an out-of-bounds write.

The flaw has been corrected in version v1.9.4 of liblz4, which is included
in lz4-sys 1.9.4.

References

Published to the GitHub Advisory Database Sep 1, 2022

Reviewed Sep 1, 2022

Last updated Jan 7, 2023

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H