Описание
lz4-sys vulnerable to memory corruption via issue in liblz4
lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to CVE-2021-3520.
Attackers could craft a payload that triggers an integer overflow upon decompression, causing an out-of-bounds write.
The flaw has been corrected in version v1.9.4 of liblz4, which is included in lz4-sys 1.9.4.
Пакеты
Наименование
lz4-sys
rust
Затронутые версииВерсия исправления
< 1.9.4
1.9.4
9.8 Critical
CVSS3
Дефекты
CWE-190
CWE-787
9.8 Critical
CVSS3
Дефекты
CWE-190
CWE-787