| id: GO-2020-0022 |
| modules: |
| - module: github.com/cloudflare/golz4 |
| versions: |
| - fixed: 0.0.0-20140711154735-199f5f787806 |
| vulnerable_at: 0.0.0-20140711153818-2dcef6a6aeec |
| packages: |
| - package: github.com/cloudflare/golz4 |
| symbols: |
| - Uncompress |
| summary: Out-of-bounds write in github.com/cloudflare/golz4 |
| description: |- |
| LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, |
| which could lead to arbitrary code execution if called with untrusted user |
| input. |
| published: 2021-04-14T20:04:52Z |
| ghsas: |
| - GHSA-4wp2-8rm2-jgmh |
| credits: |
| - Yann Collet |
| references: |
| - fix: https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898 |
| - web: https://github.com/cloudflare/golz4/issues/5 |
| cve_metadata: |
| id: CVE-2014-125026 |
| cwe: 'CWE 94: Improper Control of Generation of Code (''Code Injection'')' |
| review_status: REVIEWED |