CVE-2021-37137: The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable…

high7.5CVSS 3.1

AVNACLPRNUINSUCNINAH

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Affected

36 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	netty	< netty 1:4.1.48-6 (bookworm)	netty 1:4.1.48-6 (bookworm)
netty	netty	< 4.1.68	4.1.68
netty	netty	>= 0 < 1:4.1.48-4+deb11u1	1:4.1.48-4+deb11u1
netty	netty	>= 0 < 1:4.1.48-6	1:4.1.48-6
netty	netty	>= 0 < 1:4.1.48-6	1:4.1.48-6
netty	netty	>= 0 < 1:4.1.48-6	1:4.1.48-6
netty	netty	>= 0 < 1:4.1.48-4+deb11u1build0.22.04.1	1:4.1.48-4+deb11u1build0.22.04.1
netty	netty	>= 0 < 1:4.0.34-1ubuntu0.1~esm1	1:4.0.34-1ubuntu0.1~esm1
netty	netty	>= 0 < 1:4.1.7-4ubuntu0.1+esm2	1:4.1.7-4ubuntu0.1+esm2
netty	netty	>= 0 < 1:4.1.45-1ubuntu0.1~esm1	1:4.1.45-1ubuntu0.1~esm1
oracle	banking_apis	—	—
oracle	banking_apis	—	—
oracle	banking_apis	—	—
oracle	banking_apis	—	—
oracle	banking_apis	18.1 – 18.3	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	commerce_guided_search	—	—

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

osv7.5HIGH