CVE-2024-36114: Decompressors can crash the JVM and leak memory content in Aircompressor
All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information).
References
- github.com/advisories/GHSA-973x-65j7-xcf4
- github.com/airlift/aircompressor
- github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071
- github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e
- github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f
- github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e
- github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4
- nvd.nist.gov/vuln/detail/CVE-2024-36114
Code Behaviors & Features
Detect and mitigate CVE-2024-36114 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →