CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36124 – iq80 Snappy has an out-of-bounds read when uncompressing data, leading to JVM crash
https://notcve.org/view.php?id=CVE-2024-36124
iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. iq80 Snappy is not actively maintained anymore. As quick fix users can upgrade to version 0.5. iq80 Snappy es una librería de compresión/descompresión. Al descomprimir ciertos datos, Snappy intenta leer fuera de los límites de las matrices de bytes dadas. • https://github.com/dain/snappy/security/advisories/GHSA-8wh2-6qhj-h7j9 • CWE-125: Out-of-bounds Read •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 2CVE-2023-41330 – Unsafe deserialization in knplabs/knp-snappy
https://notcve.org/view.php?id=CVE-2023-41330
knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. ## Issue On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\strpos($filename, 'phar://') === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. • https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2023-28115 – Snappy vulnerable to PHAR deserialization, allowing remote code execution
https://notcve.org/view.php?id=CVE-2023-28115
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. • https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670 https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6 https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3 https://github.com/KnpLabs/snappy/pull/469 https://github.com/KnpLabs/snappy/releases/tag/v1.4.2 https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc • CWE-502: Deserialization of Untrusted Data •