Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: org.lz4:lz4-java
- Introduced through: org.apache.kafka:kafka-clients@3.9.1
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer#ab863a08239491dbd0a3a19238b55caa90262a4b › org.apache.kafka:kafka-clients@3.9.1 › org.lz4:lz4-java@1.8.0
Overview
org.lz4:lz4-java is a Java port of the LZ4 compression algorithm and the xxHash hashing algorithm.
Affected versions of this package are vulnerable to Out-of-bounds Read due to the use of the insecure LZ4_decompress_fast in the underlying lz4 library, which lacks bounds checks. An attacker can cause denial of service or access sensitive memory contents by providing specially crafted compressed input.
Workaround
- Applications using
LZ4Factory.nativeInstance()in conjunction with.fastDecompressor()can switch to.safeInstance()or.safeDecompressor(). - Applications using
LZ4Factory.unsafeInstance(),.fastestInstance()or.fastestJavaInstance()can switch to.safeInstance().
Notes
The official
org.lz4:lz4-javalibrary has not been patched and the project is discontinued.org.lz4:lz4-java:1.8.1relocates the pacakge toat.yawk.lz4:lz4-java, which is a community-maintained fork of the library that fixes this vulnerability.
Remediation
Upgrade org.lz4:lz4-java to version 1.8.1 or higher.
References
medium severity
- Module: ch.qos.logback:logback-classic
- Introduced through: ch.qos.logback:logback-classic@1.5.21
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer#ab863a08239491dbd0a3a19238b55caa90262a4b › ch.qos.logback:logback-classic@1.5.21
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: ch.qos.logback:logback-core
- Introduced through: ch.qos.logback:logback-classic@1.5.21
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer#ab863a08239491dbd0a3a19238b55caa90262a4b › ch.qos.logback:logback-classic@1.5.21 › ch.qos.logback:logback-core@1.5.21
Dual license: EPL-1.0, LGPL-2.1