CVE-2024-36124 (Medium) detected in snappy-0.4.jar

[mend-for-github-com]

CVE-2024-36124 - Medium Severity Vulnerability

Vulnerable Library - snappy-0.4.jar

Port of Snappy to Java

Library home page: http://github.com/dain/snappy

Path to dependency file: /ep-maven/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/iq80/snappy/snappy/0.4/snappy-0.4.jar

Dependency Hierarchy:

• maven-assembly-plugin-3.7.1.jar (Root Library)
  • plexus-archiver-4.9.2.jar
    • ❌ snappy-0.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class sun.misc.Unsafe to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. iq80 Snappy is not actively maintained anymore. As quick fix users can upgrade to version 0.5.

Mend Note: Since org.iq80.snappy:snappy is not maintained anymore, in the long term users should prefer migrating to the Snappy implementation in the artifact io.airlift:aircompressor, version 0.27 and higher.

Publish Date: 2024-06-03

URL: CVE-2024-36124

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8wh2-6qhj-h7j9

Release Date: 2024-06-03

Fix Resolution: org.iq80.snappy:snappy:0.5,io.airlift:aircompressor:0.27