Skip to main content
Version: latest

CVE-2019-17543

CVE Details

Visit the official vulnerability details page for CVE-2019-17543 to learn more.

Initial Publication

10/25/2024

Last Update

12/16/2024

Third Party Dependency

lz4-libs

NIST CVE Summary

LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."

CVE Severity

8.1

Our Official Summary

LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk.

There is no documented instance of the third party images where this vulnerability is reported being affected by this API. In order to exploit this vulnerability, an attacker needs to get privileges access to this container and execute code which the container have controls in place to prevent. Impact of exploitation is also low, since any denial of service will be restricted to the container function.Waiting on a fix from third party mongodb vendor

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.5.15⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact
4.5.11⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact
4.5.10⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact
4.5.8⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact
4.5.5⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact
4.5.4⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact
4.4.20⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact

Revision History

DateRevision
12/16/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15
12/02/2024Official summary revised: LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk.There is no documented instance of the third party images where this vulnerability is reported being affected by this API. In order to exploit this vulnerability, an attacker needs to get privileges access to this container and execute code which the container have controls in place to prevent. Impact of exploitation is also low, since any denial of service will be restricted to the container function.Waiting on a fix from third party mongodb vendor
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10
11/14/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5