CVE-2023-6992 — Improper Input Validation in Zlib

CWE-20 — Improper Input Validation CWE-122 — Heap-based Buffer Overflow CWE-126 — Buffer Over-read CWE-787 — Out-of-bounds Write3 documents3 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 94.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zlib Cloudflare Zlib Msrc Azl3 Fltk 1.3.8-1 ON Azure Linux 3.0 +6 more

Timeline

PublishedJan 4

Latest updateJan 9

Description

Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow. A local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software. Patches: The issue has been patched in commit 8352d10 https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages10 packages

▶CVEListV5cloudflare/zlib< 8352d10

▶NVDcloudflare/zlib< 2023-11-16

▶Alpinezlib/zlib< 0+7

▶msrcmsrc/azl3_zlib_1.3.1-1_on_azure_linux_3.0

▶msrcmsrc/cbl2_zlib_1.2.13-2_on_cbl_mariner_2.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-6992: Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate↗2024-01-04

▶

📋Vendor Advisories

Microsoft

Memory corruption issues is Cloudflare zlib implementation↗2024-01-09

▶