SNOW-564639: zlib1.2.11: 2 vulnerabilities (highest severity is: 6.5) - autoclosed
Closed this issue · 1 comments
Vulnerable Library - zlib1.2.11
Library home page: https://github.com/submods/zlib.git
Vulnerable Source Files (2)
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
WS-2020-0368 | Medium | 6.5 | zlib1.2.11 | Direct | N/A | ❌ |
CVE-2018-25032 | Medium | 5.5 | zlib1.2.11 | Direct | N/A | ❌ |
Details
WS-2020-0368
Vulnerable Library - zlib1.2.11
Library home page: https://github.com/submods/zlib.git
Found in base branch: master
Vulnerable Source Files (2)
/deps/zlib-1.2.11.1/inflate.c
/deps/zlib-1.2.11.1/inflate.c
Vulnerability Details
Zlib in versions v0.8 to v1.2.11 is vulnerable to use-of-uninitialized-value in inflate.
There are a couple of places in inflate() where UPDATE is called with state->check as its first parameter, without a guarantee that this value has been initialized (state comes from a ZALLOC in inflateInit). This causes use of uninitialized check value.
Publish Date: 2020-02-22
URL: WS-2020-0368
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2018-25032
Vulnerable Library - zlib1.2.11
Library home page: https://github.com/submods/zlib.git
Found in base branch: master
Vulnerable Source Files (3)
/deps/zlib-1.2.11.1/trees.c
/deps/zlib-1.2.11.1/trees.c
/deps/zlib-1.2.11.1/deflate.c
Vulnerability Details
zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Publish Date: 2022-03-25
URL: CVE-2018-25032
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.