CVE-2023-45853
moderate-risk
Published 2023-10-14
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
Do I need to act?
~
1.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 51b7f2abdade71cd9bb0e7a373ef2610ec6f9daf
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (2)
Pyminizip
References (22)
Issue Tracking
https://github.com/madler/zlib/pull/843
Release Notes
https://pypi.org/project/pyminizip/#history
Third Party Advisory
https://security.gentoo.org/glsa/202401-18
Third Party Advisory
https://security.netapp.com/advisory/ntap-20231130-0009/
Issue Tracking
https://github.com/madler/zlib/pull/843
Release Notes
https://pypi.org/project/pyminizip/#history
Third Party Advisory
https://security.gentoo.org/glsa/202401-18
and 2 more references
43
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
4/34 · Minimal
Exposure
7/34 · Low