Marcono1234

**Name of the Vulnerable Software and Affected Versions** lz4 flex versions 0.11.5 and below and 0.12.0 **Description** lz4 flex, a Rust implementation of LZ4 compression/decompression, contains a flaw where decompressing invalid LZ4 data can lead to information disclosure. Specifically, the library does not properly validate offset values during LZ4 "match copy operations," potentially causing out-of-bounds reads from the output buffer. This can result in the leakage of sensitive data from uninitialized memory or from previous decompression operations when reusing an output buffer. The block-based API functions (`decompress into`, `decompress into with dict`, and others when `safe-decode` is disabled) are affected, while frame APIs are not. The issue stems from improper validation of `offset` values during decompression, allowing the copying of data from outside the initialized portion of the output buffer. This can occur in two scenarios: when using the `unsafe` implementation (`safe-decode` feature flag disabled) and when decompressing into a reused output buffer. **Recommendations** lz4 flex versions prior to 0.11.6 are affected. lz4 flex version 0.12.0 is affected. Upgrade to lz4 flex version 0.11.6 or 0.12.1 to resolve the issue. If upgrading is not possible, zero the output buffer before calling `lz4 flex::block::decompress into` or `lz4 flex::block::decompress into with dict`. Enable the `safe-decode` feature flag as a mitigation.

**Name of the Vulnerable Software and Affected Versions** org.lz4:lz4-java versions prior to 1.8.0 **Description** The software contains flaws related to memory handling. Specifically, out-of-bounds memory operations can occur when processing untrusted compressed input. This can lead to a denial of service and potential reading of adjacent memory. **Recommendations** Update to a version newer than 1.8.0.

**Name of the Vulnerable Software and Affected Versions:** Connect2id Nimbus JOSE + JWT versions prior to 10.0.2 **Description:** The software is susceptible to a denial-of-service condition triggered by a deeply nested JSON object within a JWT claim set. This occurs due to uncontrolled recursion during JSON object processing. The issue is independent of a separate problem related to Gson 2.11.0, as the Connect2id product had the capability to validate JSON object nesting depth regardless of any limits imposed by Gson. **Recommendations:** Update Connect2id Nimbus JOSE + JWT to version 10.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** Aircompressor versions prior to 0.27 **Description** The issue concerns the decompressor implementations of Aircompressor, including LZ4, LZO, Snappy, and Zstandard. These decompressors can crash the JVM for certain input and, in some cases, leak the content of other memory of the Java process, which could contain sensitive information. This occurs because the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers, and Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access without performing additional bounds checks. As a result, this can lead to non-deterministic behavior or crash the JVM. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM or to leak other sensitive information from the Java process. **Recommendations** Update to Aircompressor 0.27 or newer where these issues have been fixed. As a temporary workaround, consider avoiding the decompression of data from untrusted users to minimize the risk of exploitation. Restrict access to sensitive information within the Java process to reduce the potential impact of a leak.

**Name of the Vulnerable Software and Affected Versions** com.google.code.gson:gson versions prior to 2.8.9 Bitbucket Data Center and Server versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, and 8.12.0 **Description** The issue is related to the deserialization mechanism in the Gson library, which can be exploited by a remote attacker to conduct a denial of service (DoS) attack. This is due to the `writeReplace()` method in internal classes allowing the deserialization of untrusted data. **Recommendations** For com.google.code.gson:gson versions prior to 2.8.9, update to version 2.8.9 or later. For Bitbucket Data Center and Server 7.21, upgrade to a release greater than or equal to 7.21.15. For Bitbucket Data Center and Server 8.9, upgrade to a release greater than or equal to 8.9.4. For Bitbucket Data Center and Server 8.10, upgrade to a release greater than or equal to 8.10.4. For Bitbucket Data Center and Server 8.11, upgrade to a release greater than or equal to 8.11.3. For Bitbucket Data Center and Server 8.12, upgrade to a release greater than or equal to 8.12.1.