HI Team !
I have noticed a new vulnerability - CVE-2024-36124 which is reported for org.iq80.snappy:snappy v.0.4. This is a transitive dependency of com.couchbase.client:core-io v2.7.0. Will there be a new version of com.couchbase.client:core-io released with org.iq80.snappy:snappy v.0.5 ?
Hi @dhruvs7
Thanks for the report! We are aware of the issue and will be including the fix in the next version. We’re aiming to release some time next week.
In the meantime, the risk of this vulnerability being exploited in the Couchbase SDK is extremely low. In order to trigger the vulnerability, the snappy library must be fed malformed compressed content. The SDK gets compressed content only from Couchbase Server, and Couchbase Server validates all compressed documents are well-formed before storing them.
Thanks,
David
HI David !
Good Morning !
Is the fix released?
Thank you
The next release - 3.7.1 - is not yet released. We’re working on it.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.