Search

Find a vulnerability

Search criteria

    4 vulnerabilities by airlift

    CVE-2025-67721 (GCVE-0-2025-67721)

    Vulnerability from nvd – Published: 2025-12-12 22:11 – Updated: 2025-12-15 15:04
    VLAI
    Title
    Aircompressor's Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer
    Summary
    Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data. This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. This can be the case of a web server that allocates a fix-sized buffer for performance purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q. This issue is fixed in version 3.4.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    • CWE-125 - Out-of-bounds Read
    Assigner
    Impacted products
    Vendor Product Version
    airlift aircompressor Affected: < 3.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-67721",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-15T15:03:47.177417Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-15T15:04:15.629Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "aircompressor",
              "vendor": "airlift",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data. This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. This can be the case of a web server that allocates a fix-sized buffer for performance purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q. This issue is fixed in version 3.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-12T22:11:10.971Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/airlift/aircompressor/security/advisories/GHSA-vx9q-rhv9-3jvg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/airlift/aircompressor/security/advisories/GHSA-vx9q-rhv9-3jvg"
            },
            {
              "name": "https://github.com/airlift/aircompressor/commit/f2b489b398779b40c1ee29ddb11d7edef54ddc15",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/airlift/aircompressor/commit/f2b489b398779b40c1ee29ddb11d7edef54ddc15"
            },
            {
              "name": "https://github.com/airlift/aircompressor/commit/ff12c4d5757c9d6d1de3d39a10402f1f84f9b765",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/airlift/aircompressor/commit/ff12c4d5757c9d6d1de3d39a10402f1f84f9b765"
            }
          ],
          "source": {
            "advisory": "GHSA-vx9q-rhv9-3jvg",
            "discovery": "UNKNOWN"
          },
          "title": "Aircompressor\u0027s Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-67721",
        "datePublished": "2025-12-12T22:11:10.971Z",
        "dateReserved": "2025-12-10T18:46:14.762Z",
        "dateUpdated": "2025-12-15T15:04:15.629Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-36114 (GCVE-0-2024-36114)

    Vulnerability from nvd – Published: 2024-05-29 20:24 – Updated: 2024-08-02 03:30
    VLAI
    Title
    Decompressors can crash the JVM and leak memory content in Aircompressor
    Summary
    Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information). When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process. There are no known workarounds for this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    airlift aircompressor Affected: < 0.27
    Create a notification for this product.
    airlift aircompressor Affected: 0 , < 0.27 (custom)
        cpe:2.3:a:airlift:aircompressor:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:airlift:aircompressor:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "aircompressor",
                "vendor": "airlift",
                "versions": [
                  {
                    "lessThan": "0.27",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-36114",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-04T19:37:59.883008Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T19:42:22.047Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "ADP Container"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:30:13.037Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4"
              },
              {
                "name": "https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"
              },
              {
                "name": "https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e"
              },
              {
                "name": "https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f"
              },
              {
                "name": "https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "aircompressor",
              "vendor": "airlift",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.27"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information). When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process. There are no known workarounds for this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787: Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-29T20:24:53.906Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4"
            },
            {
              "name": "https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"
            },
            {
              "name": "https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e"
            },
            {
              "name": "https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f"
            },
            {
              "name": "https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e"
            }
          ],
          "source": {
            "advisory": "GHSA-973x-65j7-xcf4",
            "discovery": "UNKNOWN"
          },
          "title": "Decompressors can crash the JVM and leak memory content in Aircompressor"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-36114",
        "datePublished": "2024-05-29T20:24:53.906Z",
        "dateReserved": "2024-05-20T21:07:48.187Z",
        "dateUpdated": "2024-08-02T03:30:13.037Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-67721 (GCVE-0-2025-67721)

    Vulnerability from cvelistv5 – Published: 2025-12-12 22:11 – Updated: 2025-12-15 15:04
    VLAI
    Title
    Aircompressor's Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer
    Summary
    Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data. This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. This can be the case of a web server that allocates a fix-sized buffer for performance purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q. This issue is fixed in version 3.4.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    • CWE-125 - Out-of-bounds Read
    Assigner
    Impacted products
    Vendor Product Version
    airlift aircompressor Affected: < 3.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-67721",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-15T15:03:47.177417Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-15T15:04:15.629Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "aircompressor",
              "vendor": "airlift",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data. This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. This can be the case of a web server that allocates a fix-sized buffer for performance purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q. This issue is fixed in version 3.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-12T22:11:10.971Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/airlift/aircompressor/security/advisories/GHSA-vx9q-rhv9-3jvg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/airlift/aircompressor/security/advisories/GHSA-vx9q-rhv9-3jvg"
            },
            {
              "name": "https://github.com/airlift/aircompressor/commit/f2b489b398779b40c1ee29ddb11d7edef54ddc15",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/airlift/aircompressor/commit/f2b489b398779b40c1ee29ddb11d7edef54ddc15"
            },
            {
              "name": "https://github.com/airlift/aircompressor/commit/ff12c4d5757c9d6d1de3d39a10402f1f84f9b765",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/airlift/aircompressor/commit/ff12c4d5757c9d6d1de3d39a10402f1f84f9b765"
            }
          ],
          "source": {
            "advisory": "GHSA-vx9q-rhv9-3jvg",
            "discovery": "UNKNOWN"
          },
          "title": "Aircompressor\u0027s Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-67721",
        "datePublished": "2025-12-12T22:11:10.971Z",
        "dateReserved": "2025-12-10T18:46:14.762Z",
        "dateUpdated": "2025-12-15T15:04:15.629Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-36114 (GCVE-0-2024-36114)

    Vulnerability from cvelistv5 – Published: 2024-05-29 20:24 – Updated: 2024-08-02 03:30
    VLAI
    Title
    Decompressors can crash the JVM and leak memory content in Aircompressor
    Summary
    Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information). When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process. There are no known workarounds for this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    airlift aircompressor Affected: < 0.27
    Create a notification for this product.
    airlift aircompressor Affected: 0 , < 0.27 (custom)
        cpe:2.3:a:airlift:aircompressor:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:airlift:aircompressor:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "aircompressor",
                "vendor": "airlift",
                "versions": [
                  {
                    "lessThan": "0.27",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-36114",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-04T19:37:59.883008Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T19:42:22.047Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "ADP Container"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:30:13.037Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4"
              },
              {
                "name": "https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"
              },
              {
                "name": "https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e"
              },
              {
                "name": "https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f"
              },
              {
                "name": "https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "aircompressor",
              "vendor": "airlift",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.27"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information). When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process. There are no known workarounds for this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787: Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-29T20:24:53.906Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4"
            },
            {
              "name": "https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"
            },
            {
              "name": "https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e"
            },
            {
              "name": "https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f"
            },
            {
              "name": "https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e"
            }
          ],
          "source": {
            "advisory": "GHSA-973x-65j7-xcf4",
            "discovery": "UNKNOWN"
          },
          "title": "Decompressors can crash the JVM and leak memory content in Aircompressor"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-36114",
        "datePublished": "2024-05-29T20:24:53.906Z",
        "dateReserved": "2024-05-20T21:07:48.187Z",
        "dateUpdated": "2024-08-02T03:30:13.037Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }