CVE-2023-45853

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
VendorProductVersion
zlibzlib
𝑥
< 1.3.1
smihicapyminizip
𝑥
≤ 0.2.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
minizip
bullseye
1.1-8+deb11u1
ignored
bookworm
1.1-8+deb12u1
ignored
buster
ignored
zlib
bullseye (security)
vulnerable
bullseye
ignored
bookworm
ignored
buster
ignored
sid
1:1.3.dfsg+really1.3.1-1
fixed
trixie
1:1.3.dfsg+really1.3.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
klibc
oracular
not-affected
noble
not-affected
mantic
not-affected
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
rsync
oracular
not-affected
noble
not-affected
mantic
not-affected
lunar
not-affected
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
zlib
oracular
not-affected
noble
not-affected
mantic
not-affected
lunar
not-affected
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
Fixed 1:1.2.8.dfsg-1ubuntu1.1+esm3
released
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/10/20/9
http://www.openwall.com/lists/oss-security/2024/01/24/10
https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356
https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61
https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4
https://github.com/madler/zlib/pull/843
https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html
https://pypi.org/project/pyminizip/#history
https://security.gentoo.org/glsa/202401-18
https://security.netapp.com/advisory/ntap-20231130-0009/
https://www.winimage.com/zLibDll/minizip.html
http://www.openwall.com/lists/oss-security/2023/10/20/9
http://www.openwall.com/lists/oss-security/2024/01/24/10
https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356
https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61
https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4
https://github.com/madler/zlib/pull/843
https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html
https://pypi.org/project/pyminizip/#history
https://security.gentoo.org/glsa/202401-18
https://security.netapp.com/advisory/ntap-20231130-0009/
https://www.winimage.com/zLibDll/minizip.html