CVE-2023-45853
CVE Details
Last Update
11/7/24
NIST CVE Summary
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
Our Official Summary
This vulnerability is reported on some of the 3rd party cni images used by our products such as multus-cni. This heap-based buffer overflow can be exploited through a long filename, comment, or extra field. The risk scenario is low for the following reasons: These images are optional and will be installed depending on the configuration of the deployments; there are no known reports of exploitation from the 3rd party vendors; and these images are not accessible directly for an attacker to send crafted input. We will upgrade the images when the fixes become available from the vendors.
CVE Severity
Status
Ongoing
Affected Products & Versions
- Palette VerteX 4.5.3, 4.5.8
- Palette Enterprise 4.5.3, 4.5.8
Revision History
- 1.0 10/14/24 Initial Publication
- 2.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products
- 3.0 10/14/2024 Added Palette VerteX and Palette Enterprise 4.5.8 to Affected Products