Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
lz4_flex: Decompression can leak information from uninitialized memory or reused output buffer
Vulnerability Description
lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.
CVSS Information
N/A
Vulnerability Type
通过发送数据的信息暴露
Vulnerability Title
lz4_flex 安全漏洞
Vulnerability Description
lz4_flex是PSeitz个人开发者的一个Rust语言的高性能LZ4压缩库。 lz4_flex 0.11.5及之前版本和0.12.0版本存在安全漏洞,该漏洞源于解压无效LZ4数据时存在越界读取,可能导致敏感信息泄露。
CVSS Information
N/A
Vulnerability Type
N/A