IM
IronMonkey Threat Research

CVE-2023-45853 CRITICAL

Published: 2023-10-14 | Last Modified: 2026-07-14 | Status: Modified

Description

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.

Additional Descriptions (1)

MiniZip en zlib hasta 1.3 tiene un desbordamiento de enteros y un desbordamiento de búfer basado en montón resultante en zipOpenNewFileInZip4_64 a través de un nombre de archivo largo, un comentario o un campo adicional. NOTA: MiniZip no es una parte compatible del producto zlib.

CVSS Metrics

Base Score: 9.8 (CRITICAL)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 5.9

Weaknesses

Source Type Description
[email protected] Primary
en CWE-190
134c704f-9b21-4f2e-91b3-4a467353bcc0 Secondary
en CWE-190

Affected Products

Vendor Product Version Update Type
zlib zlib * <built-in method update of dict object at 0x702bdd2d6d80> Application
smihica pyminizip * <built-in method update of dict object at 0x702bdd5168c0> Application

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:smihica:pyminizip:*:*:*:*:*:python:*:*

References

Notification
Message here