blob: 52c6c189cd10bb7306d8fa675da70f93886b3c37 [file] [log] [blame]
id: GO-2020-0022
modules:
- module: github.com/cloudflare/golz4
versions:
- fixed: 0.0.0-20140711154735-199f5f787806
vulnerable_at: 0.0.0-20140711153818-2dcef6a6aeec
packages:
- package: github.com/cloudflare/golz4
symbols:
- Uncompress
summary: Out-of-bounds write in github.com/cloudflare/golz4
description: |-
LZ4 bindings use a deprecated C API that is vulnerable to memory corruption,
which could lead to arbitrary code execution if called with untrusted user
input.
published: 2021-04-14T20:04:52Z
ghsas:
- GHSA-4wp2-8rm2-jgmh
credits:
- Yann Collet
references:
- fix: https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898
- web: https://github.com/cloudflare/golz4/issues/5
cve_metadata:
id: CVE-2014-125026
cwe: 'CWE 94: Improper Control of Generation of Code (''Code Injection'')'
review_status: REVIEWED