Base Score

HIGH7.5

CVE-2023-3635

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

VectorNETWORK

Published Byreefs@jfrog.com

Published DateJul 12, 2023, 19:15

Affected Versions(3)

com.squareup.okio:okio(Maven)

Introduced2.0.0-RC1

Fixed3.4.0

LimitN/A

com.squareup.okio:okio(Maven)

Introduced0

Fixed1.17.6

LimitN/A

com.squareup.okio:okio-jvm(Maven)

Introduced2.0.0-RC1

Fixed3.4.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
com.squareup.okio:okio(Maven)	2.0.0-RC1	3.4.0	N/A
com.squareup.okio:okio(Maven)	0	1.17.6	N/A
com.squareup.okio:okio-jvm(Maven)	2.0.0-RC1	3.4.0	N/A

Weakness Type (CWE):CWE-681

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH

References

Base Score

HIGH7.5

Weakness Type (CWE):CWE-681

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH