Vulnerability DatabaseCVE-2023-45853
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-45853
October 14, 2023
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
Affected Packages
zlib (CONAN):
Affected version(s) >=1.2.11 <1.3.1
Fix Suggestion:
Update to version 1.3.1
Related Resources (16)
https://security.netapp.com/advisory/ntap-20231130-0009
https://nvd.nist.gov/vuln/detail/CVE-2023-45853
https://github.com/smihica/pyminizip/blob/master/zlib-1.2.11/contrib/minizip/zip.c
https://github.com/madler/zlib/pull/843
https://www.winimage.com/zLibDll/minizip.html
https://github.com/smihica/pyminizip
https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356
https://security.netapp.com/advisory/ntap-20231130-0009/
https://security.gentoo.org/glsa/202401-18
http://www.openwall.com/lists/oss-security/2024/01/24/10
https://pypi.org/project/pyminizip/#history
https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c
https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4
http://www.openwall.com/lists/oss-security/2023/10/20/9
https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html
https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Integer Overflow or Wraparound
CWE-190
EPSS
Base Score:
1.40