ID CVE-2019-17543
Summary LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
References
Vulnerable Configurations
  • cpe:2.3:a:lz4_project:lz4:1.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:lz4_project:lz4:1.7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:lz4_project:lz4:1.7.4:*:*:*:*:*:*:*
    cpe:2.3:a:lz4_project:lz4:1.7.4:*:*:*:*:*:*:*
  • cpe:2.3:a:lz4_project:lz4:1.7.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:lz4_project:lz4:1.7.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:lz4_project:lz4:1.7.5:*:*:*:*:*:*:*
    cpe:2.3:a:lz4_project:lz4:1.7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:lz4_project:lz4:1.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:lz4_project:lz4:1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:lz4_project:lz4:1.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:lz4_project:lz4:1.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:lz4_project:lz4:1.8.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:lz4_project:lz4:1.8.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:lz4_project:lz4:1.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:lz4_project:lz4:1.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:lz4_project:lz4:1.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:lz4_project:lz4:1.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:lz4_project:lz4:1.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:lz4_project:lz4:1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:lz4_project:lz4:1.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:lz4_project:lz4:1.9.1:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 23-07-2021 - 12:15)
Impact:
Exploitability:
CWE CWE-787
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
refmap via4
misc
mlist
  • [arrow-dev] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543
  • [arrow-issues] 20191024 [jira] [Assigned] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543
  • [arrow-issues] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543
  • [arrow-issues] 20191024 [jira] [Updated] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543
  • [arrow-issues] 20191025 [jira] [Commented] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543
  • [arrow-issues] 20191106 [jira] [Resolved] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543
  • [kudu-issues] 20200621 [jira] [Updated] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu
  • [kudu-issues] 20200709 [jira] [Resolved] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu
suse
  • openSUSE-SU-2019:2398
  • openSUSE-SU-2019:2399
Last major update 23-07-2021 - 12:15
Published 14-10-2019 - 02:15
Last modified 23-07-2021 - 12:15
Back to Top