CVE-2023-43642

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2023-43642
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-09-25 20:15:00 UTC
Updated2023-09-26 15:46:00 UTC
Descriptionsnappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.

Risk And Classification

Problem Types: CWE-770

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Xerial Snappy-java All All All All

References

ReferenceSourceLinkTags
Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact · Advisory · xerial/snappy-java · GitHub MISC github.com
Merge pull request from GHSA-55g7-9cwv-5qfv · xerial/snappy-java@9f8c3cf · GitHub MISC github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 20391 IBM DB2 Denial of Service (DoS) Vulnerability (7087234)
  • 379560 Atlassian Bitbucket Data Center and Server org.xerial.snappy:snappy-java Dependency Denial of Service (DoS) Vulnerability (BSERV-19100)
  • 731311 Atlassian Jira Software Data Center and Server Denial of Service (DoS) Vulnerability (JSWSERVER-25791)
  • 995402 Java (Maven) Security Update for org.xerial.snappy:snappy-java (GHSA-55g7-9cwv-5qfv)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report