CVE-2023-6992

2024-01-0412:15:23

Alpine Linux Development Team

security.alpinelinux.org

cloudflare

zlib

memory corruption

deflate.c

input validation

buffer overflow

denial of service

patch

github

unix

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

High

EPSS

Percentile

5.1%

JSON

Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow.
A local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software.
Patches: The issue has been patched in commit 8352d10 https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c . The upstream repository is not affected.

OSVersionArchitecturePackageVersionFilename
Alpine3.18-mainnoarchzlib= 1.2.13-r1UNKNOWN
Alpine3.17-mainnoarchzlib= 1.2.13-r0UNKNOWN
Alpine3.16-mainnoarchzlib= 1.2.12-r3UNKNOWN
Alpine3.19-mainnoarchzlib= 1.3.1-r0UNKNOWN
Alpineedge-mainnoarchzlib< 0UNKNOWN
Alpine3.20-mainnoarchzlib< 0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	3.18-main	noarch	zlib	= 1.2.13-r1	UNKNOWN
Alpine	3.17-main	noarch	zlib	= 1.2.13-r0	UNKNOWN
Alpine	3.16-main	noarch	zlib	= 1.2.12-r3	UNKNOWN
Alpine	3.19-main	noarch	zlib	= 1.3.1-r0	UNKNOWN
Alpine	edge-main	noarch	zlib	< 0	UNKNOWN
Alpine	3.20-main	noarch	zlib	< 0	UNKNOWN