CVE-2020-8927: A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library. Versions of IO::Compress::Brotli prior to 0.007 included a version of…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library. Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your IO::Compress::Brotli module to 0.007 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.

Affected

73 ranges· showing 25

Vendor	Product	Version range	Fixed in
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
debian	brotli	< brotli 1.0.9-1 (bookworm)	brotli 1.0.9-1 (bookworm)
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	libio-compress-brotli-perl	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
google	brotli	< 1.0.8	1.0.8
google_llc	brotli	>= 0 < 1.0.9-1	1.0.9-1
google_llc	brotli	>= 0 < 1.0.9-1	1.0.9-1
google_llc	brotli	>= 0 < 1.0.9-1	1.0.9-1
google_llc	brotli	>= 0 < 1.0.9-1	1.0.9-1
google_llc	brotli	>= 0 < 1.0.8	1.0.8
google_llc	brotli	stable – 1.0.7	—
microsoft	microsoft.netcore.app.runtime.linux-arm	>= 3.0.0 < 3.1.23	3.1.23
microsoft	microsoft.netcore.app.runtime.linux-arm	>= 5.0.0 < 5.0.15	5.0.15
microsoft	microsoft.netcore.app.runtime.linux-arm	>= 6.0.0 < 6.0.3	6.0.3
microsoft	microsoft.netcore.app.runtime.linux-arm64	>= 3.0.0 < 3.1.23	3.1.23
microsoft	microsoft.netcore.app.runtime.linux-arm64	>= 5.0.0 < 5.0.15	5.0.15

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

osv9.8CRITICAL