snowflakedb/libsnowflakeclient

SNOW-564639: zlib1.2.11: 2 vulnerabilities (highest severity is: 6.5) - autoclosed

Closed this issue · 1 comments

mend-for-github-com commented
Vulnerable Library - zlib1.2.11

Library home page: https://github.com/submods/zlib.git

Vulnerable Source Files (2)

/deps/zlib-1.2.11.1/inflate.c
/deps/zlib-1.2.11.1/inflate.c

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
WS-2020-0368 Medium 6.5 zlib1.2.11 Direct N/A
CVE-2018-25032 Medium 5.5 zlib1.2.11 Direct N/A

Details

WS-2020-0368

Vulnerable Library - zlib1.2.11

Library home page: https://github.com/submods/zlib.git

Found in base branch: master

Vulnerable Source Files (2)

/deps/zlib-1.2.11.1/inflate.c
/deps/zlib-1.2.11.1/inflate.c

Vulnerability Details

Zlib in versions v0.8 to v1.2.11 is vulnerable to use-of-uninitialized-value in inflate.
There are a couple of places in inflate() where UPDATE is called with state->check as its first parameter, without a guarantee that this value has been initialized (state comes from a ZALLOC in inflateInit). This causes use of uninitialized check value.

Publish Date: 2020-02-22

URL: WS-2020-0368

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2018-25032

Vulnerable Library - zlib1.2.11

Library home page: https://github.com/submods/zlib.git

Found in base branch: master

Vulnerable Source Files (3)

/deps/zlib-1.2.11.1/trees.c
/deps/zlib-1.2.11.1/trees.c
/deps/zlib-1.2.11.1/deflate.c

Vulnerability Details

zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Publish Date: 2022-03-25

URL: CVE-2018-25032

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

mend-for-github-com commented

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.