Home > Vulnerability Database > CVE-2024-36124

Mend.io Vulnerability Database

CVE-2024-36124

Good to know:

Date: June 3, 2024

iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class "sun.misc.Unsafe" to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. iq80 Snappy is not actively maintained anymore. As quick fix users can upgrade to version 0.5. Since org.iq80.snappy:snappy is not maintained anymore, in the long term users should prefer migrating to the Snappy implementation in the artifact io.airlift:aircompressor, version 0.27 and higher.

Language: Java

Severity Score

5.3

Related Resources (4)

Url: https://github.com/dain/snappy/security/advisories/GHSA-8wh2-6qhj-h7j9

Url: https://github.com/dain/snappy

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-36124

Url: https://www.mend.io/vulnerability-database/CVE-2024-36124

Severity Score

5.3

Weakness Type (CWE)

Out-of-bounds Read

CWE-125

Top Fix

Upgrade Version

Upgrade to version org.iq80.snappy:snappy:0.5

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-36124

Good to know:

Date: June 3, 2024

Language: Java

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?