CVE-2020-8927

Published: Sep 15, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Exploitability: 3.9 / Impact: 2.5

Source: NVD

Description

A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.

Affected (21)

Products: Google: Brotli · Debian: Debian Linux · Fedoraproject: Fedora · +3 more

Show all products

Google: Brotli · Debian: Debian Linux · Fedoraproject: Fedora · Canonical: Ubuntu Linux · Opensuse: Leap · Microsoft: .net, .net Core, Powershell, Visual Studio 2019, Visual Studio 2022

1 product

1 product

1 product

1 product

1 product

5 products

Visual Studio 2019

Visual Studio 2022

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Google Brotli	Before 1.0.8

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Configuration C

6 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 31
Fedoraproject Fedora	Version 32
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34
Fedoraproject Fedora	Version 35
Fedoraproject Fedora	Version 36

Configuration D

3 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 20.04

Configuration E

1 vulnerable

Vulnerable Software	Affected Versions
Opensuse Leap	Version 15.2

Configuration F

8 vulnerable

Vulnerable Software	Affected Versions
Microsoft .net	From 5.0 to 5.0.14
Microsoft .net Core	From 3.1 to 3.1.22
Microsoft Powershell	From 7.0 to 7.0.9
Microsoft Powershell	From 7.1 to 7.1.6
Microsoft Powershell	From 7.2 to 7.2.2
Microsoft Visual Studio 2019	From 16.0 to 16.11
Microsoft Visual Studio 2022	From 17.0 to 17.0.7
Microsoft Visual Studio 2022	Version 17.1

Related CWEs

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Improper Handling of Length Parameter Inconsistency

The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

References (28)

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00108.html

Source: cve-coordination@google.com

Mailing ListThird Party Advisory

https://github.com/google/brotli/releases/tag/v1.0.9

Source: cve-coordination@google.com

Release NotesThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/12/msg00003.html

Source: cve-coordination@google.com

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/356JOYTWW4BWSZ42SEFLV7NYHL3S3AEH/

Source: cve-coordination@google.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TOGTZ2ZWDH662ZNFFSZVL3M5AJXV6JF/

Source: cve-coordination@google.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4E265WKWKYMK2RYYSIXBEGZTDY5IQE6/

Source: cve-coordination@google.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4VCDOJGL6BK3HB4XRD2WETBPYX2ITF6/

Source: cve-coordination@google.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMBKACMLSRX7JJSKBTR35UOEP2WFR6QP/

Source: cve-coordination@google.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQLM7ABVCYJLF6JRPF3M3EBXW63GNC27/

Source: cve-coordination@google.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W23CUADGMVMQQNFKHPHXVP7RPZJZNN6I/

Source: cve-coordination@google.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WW62OZEY2GHJL4JCOLJRBSRETXDHMWRK/

Source: cve-coordination@google.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZXEQ3GQVELA2T4HNZG7VPMS2HDVXMJRG/

Source: cve-coordination@google.com

https://usn.ubuntu.com/4568-1/

Source: cve-coordination@google.com

Third Party Advisory

https://www.debian.org/security/2020/dsa-4801

Source: cve-coordination@google.com

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00108.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://github.com/google/brotli/releases/tag/v1.0.9

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/12/msg00003.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/356JOYTWW4BWSZ42SEFLV7NYHL3S3AEH/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TOGTZ2ZWDH662ZNFFSZVL3M5AJXV6JF/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4E265WKWKYMK2RYYSIXBEGZTDY5IQE6/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4VCDOJGL6BK3HB4XRD2WETBPYX2ITF6/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMBKACMLSRX7JJSKBTR35UOEP2WFR6QP/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQLM7ABVCYJLF6JRPF3M3EBXW63GNC27/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W23CUADGMVMQQNFKHPHXVP7RPZJZNN6I/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WW62OZEY2GHJL4JCOLJRBSRETXDHMWRK/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZXEQ3GQVELA2T4HNZG7VPMS2HDVXMJRG/

Source: af854a3a-2127-422b-91ae-364da2661108

https://usn.ubuntu.com/4568-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2020/dsa-4801

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.