CVE-2020-36403

Name of the Vulnerable Software and Affected Versions HTSlib versions prior to 1.10.2

Description The issue is related to the vcf parse format function in the HTSlib library, which does not properly check for excessive record size, allowing only individual fields to be checked. This can be exploited by a remote attacker to access confidential data, compromise data integrity, and cause a denial of service. The vcf parse format function, called from vcf parse and vcf read, allows out-of-bounds write access.

Recommendations For versions prior to 1.10.2, update to version 1.10.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the vcf parse format function until a patch is available. Avoid using the vcf parse and vcf read functions in conjunction with vcf parse format until the issue is resolved.