7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-28638

GHSA ID

GHSA-838x-pcvx-6p5w

EPSS Score

0.62106%

CWE

CWE-119

Published

3/27/2023

Updated

3/27/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-28638

CVE-2023-28638: Snappier vulnerable to buffer overrun due to improper restriction of operations within the bounds of a memory buffer

Impact

This is a buffer overrun vulnerability that can affect any user of Snappier 1.1.0. In this release, much of the code was rewritten to use byte references rather than pointers to pinned buffers. This change generally improves performance and reduces workload on the garbage collector. However, when the garbage collector performs compaction and rearranges memory, it must update any byte references on the stack to refer to the updated location. The .NET garbage collector can only update these byte references if they still point within the buffer or to a point one byte past the end of the buffer. If they point outside this area, the buffer itself may be moved while the byte reference stays the same.

There are several places in 1.1.0 where byte references very briefly point outside the valid areas of buffers. These are at locations in the code being used for buffer range checks. While the invalid references are never dereferenced directly, if a GC compaction were to occur during the brief window when they are on the stack then it could invalidate the buffer range check and allow other operations to overrun the buffer.

This should be very difficult for an attacker to trigger intentionally. It would require a repetitive bulk attack with the hope that a GC compaction would occur at precisely the right moment during one of the requests. However, one of the range checks with this problem is a check based on input data in the decompression buffer, meaning malformed input data could be used to increase the chance of success.

Note that any resulting buffer overrun is likely to cause access to protected memory, which will then cause an exception and the process to be terminated. Therefore, the most likely result of an attack is a denial of service.

Patches

This is patched in release 1.1.1.

Workarounds

Pinning any buffers to a fixed location before using them for compression or decompression should mitigate some, but not all, of these cases. At least one temporary decompression buffer is internal to the library and never pinned.

(GitHub Advisory)

7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-28638

GHSA ID

GHSA-838x-pcvx-6p5w

EPSS Score

0.62106%

CWE

CWE-119

Published

3/27/2023

Updated

3/27/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Snappier	nuget	= 1.1.0	1.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper handling of buffer end references. The commit diff shows critical changes in how buffer limits are defined:

In SnappyCompressor.cs, FindMatchLength originally used s2Limit pointing to the last valid byte (input.Length - 1). During range checks, this could temporarily create references outside the buffer when comparing against s2Limit.
In SnappyDecompressor.cs, DecompressAllTags similarly used inputEnd = input.Length - 1, creating the same risk during decompression buffer checks. The patches changed these to use input.Length (one past the end), which is GC-safe. These functions directly handled buffer range validation and were modified to address the core issue described in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is is * *u***r ov*rrun vuln*r**ility t**t **n *****t *ny us*r o* Sn*ppi*r *.*.*. In t*is r*l**s*, mu** o* t** *o** w*s r*writt*n to us* *yt* r***r*n**s r*t**r t**n point*rs to pinn** *u***rs. T*is ***n** **n*r*lly improv*s p*r*orm*n** *n

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* *u***r *n* r***r*n**s. T** *ommit *i** s*ows *riti**l ***n**s in *ow *u***r limits *r* ***in**: *. In Sn*ppy*ompr*ssor.*s, *in*M*t**L*n*t* ori*in*lly us** s*Limit pointin* to t** l*st v*li* *yt* (in

7

Basic Information

Concerned about an active attack path?

CVE-2023-28638: Snappier vulnerable to buffer overrun due to improper restriction of operations within the bounds of a memory buffer

Impact

Patches

Workarounds

7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI