CVE-2022-4899 : A vulnerability was found in zstd v1.4.10, where an attacker can supply empty st

A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.

Published 2023-03-31 20:15:07

Updated 2025-02-18 18:15:14

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Overflow

Products affected by CVE-2022-4899

Facebook » Zstandard » Version: 1.4.10
cpe:2.3:a:facebook:zstandard:1.4.10:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-4899

EPSS FAQ

0.21%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 44 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-4899

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-18
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	N/A	N/A	Oracle:CPUOct2023
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-4899

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Primary)
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)

References for CVE-2022-4899

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/

[SECURITY] Fedora 38 Update: community-mysql-8.0.34-2.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/

[SECURITY] Fedora 39 Update: community-mysql-8.0.34-2.fc39 - package-announce - Fedora mailing-lists
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/

[SECURITY] Fedora 39 Update: community-mysql-8.0.34-2.fc39 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/

[SECURITY] Fedora 37 Update: community-mysql-8.0.34-2.fc37 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/

[SECURITY] Fedora 37 Update: community-mysql-8.0.34-2.fc37 - package-announce - Fedora mailing-lists
https://github.com/facebook/zstd/issues/3200

Buffer overrun can happen in util.c · Issue #3200 · facebook/zstd · GitHub
Issue Tracking;Patch
https://security.netapp.com/advisory/ntap-20230725-0005/

July 2023 MySQL Server Vulnerabilities in NetApp Products | NetApp Product Security

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/

[SECURITY] Fedora 38 Update: community-mysql-8.0.34-2.fc38 - package-announce - Fedora mailing-lists

Jump to

Vulnerability Details : CVE-2022-4899

Products affected by CVE-2022-4899

Exploit prediction scoring system (EPSS) score for CVE-2022-4899

CVSS scores for CVE-2022-4899

CWE ids for CVE-2022-4899

References for CVE-2022-4899