CVE-2020-36846

Description

A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library.  Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your IO::Compress::Brotli module to 0.007 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.

CVSS Metrics

• v4.0•MEDIUM•Score: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
• v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
• v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

EPSS Trends

Current EPSS score: 0.54%• Percentile: 68%

Techniques & Countermeasures

• CWE-1395•Dependency on Vulnerable Third-Party Component

  The product has a dependency on a third-party component that contains one or more known vulnerabilities.

• CWE-130•Improper Handling of Length Parameter Inconsistency

  The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

Affected Systems

• Crates.Io•brotli-sys

  ≥ 0.0.0-0

• Crates.Io•compu-brotli-sys

  ≥ 0.0.0-0, < 1.0.9 | < 1.0.9

• github.com/google•brotli

  all

• google llc•brotli

  ≥ stable, ≤ 1.0.7

• NuGet•Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-arm

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-arm64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-x64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-x86

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.browser-wasm

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-arm

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-arm64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-x64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-x86

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.browser-wasm

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.ios-arm

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.ios-arm64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-arm64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-x64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-x86

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.maccatalyst-arm64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.maccatalyst-x64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvos-arm64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvossimulator-arm64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvossimulator-x64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm64.Msi.x64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm.Msi.x64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x64.Msi.x64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x86

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x86.Msi.x64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm.Msi.x64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.browser-wasm

  ≥ 5.0.0, < 5.0.15

• NuGet•Microsoft.NetCore.App.Runtime.linux-arm

  ≥ 3.0.0, < 3.1.23 | ≥ 5.0.0, < 5.0.15 | ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NetCore.App.Runtime.linux-arm64

  ≥ 3.0.0, < 3.1.23 | ≥ 5.0.0, < 5.0.15 | ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NetCore.App.Runtime.linux-musl-arm

  ≥ 5.0.0, < 5.0.15 | ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NetCore.App.Runtime.linux-musl-arm64

  ≥ 3.0.0, < 3.1.23 | ≥ 5.0.0, < 5.0.15 | ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NetCore.App.Runtime.linux-musl-x64

  ≥ 5.0.0, < 5.0.15 | ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NetCore.App.Runtime.linux-x64

  ≥ 3.0.0, < 3.1.23 | ≥ 5.0.0, < 5.0.15 | ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.Mono.android-arm

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.Mono.android-arm64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.arm64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.x64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.x86

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.arm64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.x64

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.x86

  ≥ 6.0.0, < 6.0.3

• NuGet•Microsoft.NETCore.App.Runtime.Mono.android-x64

  ≥ 6.0.0, < 6.0.3

Showing first 50 affected entries in server-rendered view.

References (45)

• https://github.com/google/brotli/pull/826
• https://github.com/advisories/GHSA-5v8v-66v8-mwm7
• https://github.com/timlegge/perl-IO-Compress-Brotli/blob/8b44c83b23bb4658179e1494af4b725a1bc476bc/Changes#L52
• https://nvd.nist.gov/vuln/detail/CVE-2020-8927
• https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6
• https://github.com/bitemyapp/brotli2-rs/issues/45
• https://github.com/github/advisory-database/issues/785
• https://www.debian.org/security/2020/dsa-4801
• https://usn.ubuntu.com/4568-1
• https://rustsec.org/advisories/RUSTSEC-2021-0132.html
• https://rustsec.org/advisories/RUSTSEC-2021-0131.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZXEQ3GQVELA2T4HNZG7VPMS2HDVXMJRG
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WW62OZEY2GHJL4JCOLJRBSRETXDHMWRK
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W23CUADGMVMQQNFKHPHXVP7RPZJZNN6I
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQLM7ABVCYJLF6JRPF3M3EBXW63GNC27
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMBKACMLSRX7JJSKBTR35UOEP2WFR6QP
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4VCDOJGL6BK3HB4XRD2WETBPYX2ITF6
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J4E265WKWKYMK2RYYSIXBEGZTDY5IQE6
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4TOGTZ2ZWDH662ZNFFSZVL3M5AJXV6JF
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/356JOYTWW4BWSZ42SEFLV7NYHL3S3AEH
• https://lists.debian.org/debian-lts-announce/2020/12/msg00003.html
• https://github.com/pypa/advisory-database/tree/main/vulns/brotli/PYSEC-2020-29.yaml
• https://github.com/google/brotli/releases/tag/v1.0.9
• https://github.com/google/brotli/releases/tag/v1.0.8
• https://github.com/bitemyapp/brotli2-rs
• http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00108.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMBKACMLSRX7JJSKBTR35UOEP2WFR6QP/
• https://usn.ubuntu.com/4568-1/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WW62OZEY2GHJL4JCOLJRBSRETXDHMWRK/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4VCDOJGL6BK3HB4XRD2WETBPYX2ITF6/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J4E265WKWKYMK2RYYSIXBEGZTDY5IQE6/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W23CUADGMVMQQNFKHPHXVP7RPZJZNN6I/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/356JOYTWW4BWSZ42SEFLV7NYHL3S3AEH/
• https://nvd.nist.gov/vuln/detail/CVE-2020-36846
• https://crates.io/crates/brotli-sys
• https://crates.io/crates/compu-brotli-sys
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMBKACMLSRX7JJSKBTR35UOEP2WFR6QP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WW62OZEY2GHJL4JCOLJRBSRETXDHMWRK/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4E265WKWKYMK2RYYSIXBEGZTDY5IQE6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4VCDOJGL6BK3HB4XRD2WETBPYX2ITF6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W23CUADGMVMQQNFKHPHXVP7RPZJZNN6I/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/356JOYTWW4BWSZ42SEFLV7NYHL3S3AEH/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZXEQ3GQVELA2T4HNZG7VPMS2HDVXMJRG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQLM7ABVCYJLF6JRPF3M3EBXW63GNC27/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TOGTZ2ZWDH662ZNFFSZVL3M5AJXV6JF/