CVE-2020-8927

A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.

Published: Sep 15, 2020
Updated: Nov 8, 2023
CVE: CVE-2020-8927
GHSA: GHSA-5v8v-66v8-mwm7
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:N/I:P/A:P

CWEs:

CWE-120

Affected Software
References

Software	From	Fixed in
google / brotli	-	1.0.8
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
fedoraproject / fedora	31	31.x
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x
fedoraproject / fedora	36	36.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	20.04	20.04.x
canonical / ubuntu_linux	16.04	16.04.x
opensuse / leap	15.2	15.2.x
microsoft / visual_studio_2019	16.0	16.11.x
microsoft / .net	5.0	5.0.14.x
microsoft / .net_core	3.1	3.1.22.x
microsoft / powershell	7.2	7.2.2
microsoft / powershell	7.0	7.0.9
microsoft / visual_studio_2022	17.1	17.1.x
microsoft / powershell	7.1	7.1.6
microsoft / visual_studio_2022	17.0	17.0.7.x
compu-brotli-sys	-	1.0.9
Microsoft.NETCore.App.Runtime.linux-arm	3.0.0	3.1.23
Microsoft.NETCore.App.Runtime.linux-arm64	3.0.0	3.1.23
Microsoft.NETCore.App.Runtime.linux-musl-arm64	3.0.0	3.1.23
Microsoft.NETCore.App.Runtime.linux-x64	3.0.0	3.1.23
Microsoft.NETCore.App.Runtime.osx-x64	3.0.0	3.1.23
Microsoft.NETCore.App.Runtime.win-arm	3.0.0	3.1.23
Microsoft.NETCore.App.Runtime.win-arm64	3.0.0	3.1.23
Microsoft.NETCore.App.Runtime.win-x64	3.0.0	3.1.23
Microsoft.NETCore.App.Runtime.win-x86	3.0.0	3.1.23
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.Mono.linux-arm	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.Mono.linux-arm64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.Mono.linux-x64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.Mono.osx-x64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.browser-wasm	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.linux-arm	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.linux-arm64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.linux-musl-arm	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.linux-musl-arm64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.linux-musl-x64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.linux-x64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.osx-x64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.win-arm	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.win-arm64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.win-x64	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.win-x86	5.0.0	5.0.15
Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-arm	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.browser-wasm	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-arm	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.browser-wasm	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.ios-arm	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.ios-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.maccatalyst-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.maccatalyst-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvos-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvossimulator-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvossimulator-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm64.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x64.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x86.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-arm	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-x86.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-x86.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.android-x86.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.browser-wasm	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.ios-arm	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.ios-arm.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.ios-arm.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.ios-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.linux-arm	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.linux-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.linux-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.osx-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.osx-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.tvos-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.win-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.Mono.win-x86	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.linux-arm	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.linux-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.linux-musl-arm	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.linux-musl-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.linux-musl-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.linux-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.osx-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.osx-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.win-arm	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.win-arm64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.win-x64	6.0.0	6.0.3
Microsoft.NETCore.App.Runtime.win-x86	6.0.0	6.0.3

Vulnerability Database

289,599

CVE-2020-8927