5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-3635

GHSA ID

GHSA-w33c-445m-f8w7

EPSS Score

0.47919%

CWE

CWE-195

Published

7/12/2023

Updated

11/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-3635

CVE-2023-3635: Okio Signed to Unsigned Conversion Error vulnerability

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-3635

GHSA ID

GHSA-w33c-445m-f8w7

EPSS Score

0.47919%

CWE

CWE-195

Published

7/12/2023

Updated

11/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.squareup.okio:okio	maven	>= 2.0.0-RC1, < 3.4.0	3.4.0
com.squareup.okio:okio	maven	< 1.17.6	1.17.6
com.squareup.okio:okio-jvm	maven	>= 2.0.0-RC1, < 3.4.0	3.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the misinterpretation of the 'xlen' field in the GZIP header, treating it as signed instead of unsigned. This leads to an exception when xlen is large (e.g. >= 0x8000), which GzipSource fails to handle, resulting in a Denial of Service.

Two commits were analyzed:

Commit b4fa875dc24950680c386e4b1c593660ce4f7839 (Java version): The patch clearly modifies the consumeHeader() method within okio.GzipSource to correctly interpret xlen as an unsigned value (& 0xffff). This method directly contains the vulnerable logic.
Commit 81bce1a30af244550b0324597720e4799281da7b (Kotlin version): The patch modifies header processing logic within the okio.GzipSource class to correctly interpret xlen by converting to Int, masking with 0xffff, and then converting to Long. While the specific private method name for header parsing isn't shown in the diff, this logic is invoked during the execution of the public read() method. The read() method is the entry point for processing the GZIP stream and is where the unhandled exception would ultimately manifest from, due to the faulty xlen interpretation in the code it calls.

Both identified functions are directly involved in the vulnerable processing of the xlen field. The Java version explicitly names consumeHeader. For the Kotlin version, read is the public API that orchestrates the vulnerable header parsing logic shown in the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*zipSour** *o*s not **n*l* *n *x**ption t**t mi**t ** r*is** w**n p*rsin* * m*l*orm** *zip *u***r. T*is m*y l*** to **ni*l o* s*rvi** o* t** Okio *li*nt w**n **n*lin* * *r**t** *ZIP *r**iv*, *y usin* t** *zipSour** *l*ss.

Reasoning

T** vuln*r**ility li*s in t** misint*rpr*t*tion o* t** 'xl*n' *i*l* in t** *ZIP *****r, tr**tin* it *s si*n** inst*** o* unsi*n**. T*is l***s to *n *x**ption w**n `xl*n` is l*r** (*.*. >= *x****), w*i** *zipSour** **ils to **n*l*, r*sultin* in * **ni

5.9

Basic Information

Concerned about an active attack path?

CVE-2023-3635: Okio Signed to Unsigned Conversion Error vulnerability

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI