CVE-2020-8927
Published on: 09/15/2020 12:00:00 AM UTC
Last Modified on: 04/22/2022 06:53:00 PM UTC
Certain versions of Ubuntu Linux from Canonical contain the following vulnerability:
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
- CVE-2020-8927 has been assigned by
[email protected] to track the vulnerability - currently rated as MEDIUM severity.
- Affected Vendor/Software:
Google LLC - Brotli version <= 1.0.7
CVSS3 Score: 6.5 - MEDIUM
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | NONE | LOW | LOW |
CVSS2 Score: 6.4 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
NONE | PARTIAL | PARTIAL |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
[SECURITY] Fedora 31 Update: golang-github-andybalholm-brotli-1.0.1-1.fc31 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
![]() |
[SECURITY] Fedora 34 Update: dotnet3.1-3.1.417-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
![]() |
Release v1.0.9 · google/brotli · GitHub | Release Notes Third Party Advisory github.com text/html |
![]() |
Debian -- Security Information -- DSA-4801-1 brotli | www.debian.org Depreciated Link text/html |
![]() |
[SECURITY] [DLA 2476-1] brotli security update | lists.debian.org text/html |
![]() |
[SECURITY] Fedora 31 Update: brotli-1.0.9-3.fc31 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
![]() |
[SECURITY] Fedora 32 Update: golang-github-andybalholm-brotli-1.0.1-1.fc32 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
![]() |
[SECURITY] Fedora 35 Update: dotnet3.1-3.1.417-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
![]() |
USN-4568-1: Brotli vulnerability | Ubuntu security notices | Ubuntu | usn.ubuntu.com text/html |
![]() |
[SECURITY] Fedora 33 Update: brotli-1.0.9-3.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
![]() |
[SECURITY] Fedora 32 Update: brotli-1.0.9-3.fc32 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
![]() |
[security-announce] openSUSE-SU-2020:1578-1: moderate: Security update f | lists.opensuse.org text/html |
![]() |
[SECURITY] Fedora 33 Update: golang-github-andybalholm-brotli-1.0.1-1.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
![]() |
[SECURITY] Fedora 36 Update: dotnet3.1-3.1.417-1.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
![]() |
Related QID Numbers
- 159206 Oracle Enterprise Linux Security Update for brotli (ELSA-2021-1702)
- 159702 Oracle Enterprise Linux Security Update for .net 5.0 security and bugfix update (ELSA-2022-0830)
- 159703 Oracle Enterprise Linux Security Update for .net core 3.1 security and bugfix update (ELSA-2022-0827)
- 239317 Red Hat Update for brotli (RHSA-2021:1702)
- 240126 Red Hat Update for .net 5.0 (RHSA-2022:0830)
- 240131 Red Hat Update for .net 5.0 on rhel 7 (RHSA-2022:0828)
- 240134 Red Hat Update for .net core 3.1 on rhel 7 (RHSA-2022:0829)
- 240135 Red Hat Update for .net core 3.1 (RHSA-2022:0827)
- 282524 Fedora Security Update for dotnet3.1 (FEDORA-2022-d28042f559)
- 282525 Fedora Security Update for dotnet3.1 (FEDORA-2022-5ecee47acb)
- 377394 Alibaba Cloud Linux Security Update for brotli (ALINUX3-SA-2022:0118)
- 500075 Alpine Linux Security Update for brotli
- 730371 McAfee Web Gateway Multiple Vulnerabilities (WP-3335,WP-4131,WP-4159,WP-4237,WP-4259,WP-4329,WP-4348,WP-4355,WP-4376,WP-4407,WP-4421)
- 750614 OpenSUSE Security Update for brotli (openSUSE-SU-2020:1578-1)
- 751460 OpenSUSE Security Update for brotli (openSUSE-SU-2021:3942-1)
- 900205 CBL-Mariner Linux Security Update for brotli 1.0.7
- 901706 Common Base Linux Mariner (CBL-Mariner) Security Update for brotli (6341-1)
- 903579 Common Base Linux Mariner (CBL-Mariner) Security Update for powershell (9079)
- 903623 Common Base Linux Mariner (CBL-Mariner) Security Update for brotli (2537)
- 91868 Microsoft .NET Security Update for March 2022
- 940313 AlmaLinux Security Update for brotli (ALSA-2021:1702)
- 940461 AlmaLinux Security Update for .NET (ALSA-2022:0827)
- 940462 AlmaLinux Security Update for .NET (ALSA-2022:0830)
- 960227 Rocky Linux Security Update for brotli (RLSA-2021:1702)
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
Operating System | Canonical | Ubuntu Linux | 18.04 | All | All | All |
Operating System | Canonical | Ubuntu Linux | 20.04 | All | All | All |
Operating System | Debian | Debian Linux | 10.0 | All | All | All |
Operating System | Debian | Debian Linux | 9.0 | All | All | All |
Operating System | Fedoraproject | Fedora | 31 | All | All | All |
Operating System | Fedoraproject | Fedora | 32 | All | All | All |
Operating System | Fedoraproject | Fedora | 33 | All | All | All |
Operating System | Fedoraproject | Fedora | 34 | All | All | All |
Operating System | Fedoraproject | Fedora | 35 | All | All | All |
Operating System | Fedoraproject | Fedora | 36 | All | All | All |
Application | Brotli | All | All | All | All | |
Application | Brotli | All | All | All | All | |
Application | Microsoft | .net | All | All | All | All |
Application | Microsoft | .net Core | All | All | All | All |
Application | Microsoft | Powershell | All | All | All | All |
Application | Microsoft | Visual Studio 2019 | All | All | All | All |
Application | Microsoft | Visual Studio 2022 | 17.1 | All | All | All |
Application | Microsoft | Visual Studio 2022 | All | All | All | All |
Operating System | Opensuse | Leap | 15.2 | All | All | All |
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*:
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*:
- cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*:
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*:
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*:
- cpe:2.3:a:google:brotli:*:*:*:*:*:*:*:*:
- cpe:2.3:a:google:brotli:*:*:*:*:*:*:*:*:
- cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*:
- cpe:2.3:a:microsoft:.net_core:*:*:*:*:*:*:*:*:
- cpe:2.3:a:microsoft:powershell:*:*:*:*:*:*:*:*:
- cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*:
- cpe:2.3:a:microsoft:visual_studio_2022:17.1:*:*:*:*:*:*:*:
- cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*:
- cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*:
Discovery Credit
Jay Lv
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
Microsoft Security Advisory CVE-2020-8927 | .NET Remote Code Execution Vulnerability dotnet/runtime/66346 github.com/dotnet/runtime… | 2022-03-08 18:30:24 |
![]() |
Microsoft Security Advisory CVE-2020-8927 | .NET Remote Code Execution Vulnerability dotnet/announcements/211 github.com/dotnet/announc… | 2022-03-08 18:30:28 |
![]() |
.NET 6.0.3, 5.0.15 y 3.1.23, mejoras, correción de bugs, vulnerabilidades CVE-2020-8927, CVE-2022-24464 y CVE-2022-… twitter.com/i/web/status/1… | 2022-03-14 06:07:06 |
![]() |
Microsoft Security Advisory CVE-2020-8927 | .NET Remote Code Execution Vulnerability · Issue #30 · PowerShell/Announcements | 2022-03-21 00:08:50 |