A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.
|Base Score:||6.5||Base Metrics:||AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L|
|Access Vector:||Network||Attack Complexity:||Low|
|Privileges Required:||None||User Interaction:||None|
|Integrity Impact:||Low||Availability Impact:||Low|
|Oracle Linux version 8 (brotli)||ELSA-2021-1702||2021-05-25|
|Oracle Linux version 8 (dotnet3.1)||ELSA-2022-0827||2022-03-11|
|Oracle Linux version 8 (dotnet5.0)||ELSA-2022-0830||2022-03-11|
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team