Описание
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
A flaw was found in SquareUp Okio. A class GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This issue may allow a malicious user to start processing a malformed file, which can result in a Denial of Service (DoS).
Отчет
Red Hat JBoss Enterprise Application Platform XP does contain Okio package but is not using GzipSource.java, which is the affected class. Red Hat support for Spring Boot is considered low impact as it's used by Dekorate during compilation process and not included in the resulting Jar.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 2 | okio | Not affected | ||
| Red Hat build of Apicurio Registry 2 | okio | Affected | ||
| Red Hat CodeReady Studio 12 | okio | Out of support scope | ||
| Red Hat Data Grid 8 | okio | Fix deferred | ||
| Red Hat Decision Manager 7 | okio | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 7 | okio | Not affected | ||
| Red Hat JBoss Fuse 6 | okio | Out of support scope | ||
| Red Hat OpenShift Application Runtimes | okio | Will not fix | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/metrics-hawkular-metrics | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-logging-elasticsearch5 | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
GzipSource does not handle an exception that might be raised when pars ...
Okio Signed to Unsigned Conversion Error vulnerability
Уязвимость компонента GzipSource клиентской HTTP-библиотеки Okio, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3