CVE-2023-29415 — Server-Side Request Forgery in Project Bzip3

CWE-918 — Server-Side Request Forgery6 documents6 sources

Severity

6.5MEDIUMNVD

GHSA9.8

EPSS

0.9%

top 25.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bzip3 Project Bzip3 Debian Bzip3 Fedorindutny IP +1 more

Timeline

PublishedApr 6

Latest updateJun 2

Description

An issue was discovered in libbzip3.a in bzip3 before 1.3.0. A denial of service (process hang) can occur with a crafted archive because bzip3 does not follow the required procedure for interacting with libsais.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/bzip3< bzip3 1.2.2-2 (bookworm)

▶NVDbzip3_project/bzip3< 1.3.0

▶Debianbzip3_project/bzip3< 1.2.2-2+2

▶npmfedorindutny/ip2.0.1

Also affects: Debian Linux 12.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

ip SSRF improper categorization in isPublic↗2024-06-02

▶

OSV

CVE-2023-29415: An issue was discovered in libbzip3↗2023-04-06

▶

GHSA

GHSA-x9qg-mxcc-p559: An issue was discovered in libbzip3↗2023-04-06

▶

📋Vendor Advisories

Red Hat

node-ip: Incomplete fix for CVE-2023-42282↗2024-02-20

▶

Debian

CVE-2023-29415: bzip3 - An issue was discovered in libbzip3.a in bzip3 before 1.3.0. A denial of service...↗2023

▶