CVE-2020-36846
MEDIUM6.5EPSS 0.54%IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library in github.com/google/brotli
Published: 5/24/2022Modified: 3/3/2026
Description
IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library in github.com/google/brotli
Affected packages (126)
- Bitnami/brotlifrom 0, < 1.0.8
- Bitnami/dotnet>= 5.0.0, < 5.0.15
- Bitnami/dotnet-sdk>= 5.0.0, < 5.0.15
- Bitnami/powershell>= 7.0.0, < 7.0.9, >= 7.1.0, < 7.1.6, >= 7.2.0, < 7.2.2
- crates.io/brotli-sys>= 0.0.0-0
- crates.io/compu-brotli-sysfrom 0, < 1.0.9
- crates.io/compu-brotli-sys>= 0.0.0-0, < 1.0.9
- Go/github.com/google/brotlifrom 0
- NuGet/Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-arm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.browser-wasm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-arm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.browser-wasm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.ios-arm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.ios-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.maccatalyst-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.maccatalyst-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvos-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvossimulator-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvossimulator-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x86.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.browser-wasm>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.linux-arm>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.linux-arm64>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.linux-musl-arm>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.linux-musl-arm64>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.linux-musl-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.linux-x64>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x86.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x86.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x86.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.browser-wasm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.ios-arm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.ios-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.ios-arm.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.ios-arm.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.linux-arm>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.linux-arm64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.linux-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.osx-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.osx-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvos-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.win-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.win-x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.osx-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.osx-x64>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.win-arm>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.win-arm64>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.win-x64>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.win-x86>= 3.0.0, < 3.1.23
- PyPI/brotlifrom 0, < 1.0.8
- PyPI/brotlifrom 0, < 1.0.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
References (45)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-36846
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-8927
- PATCHhttps://crates.io/crates/brotli-sys
- PATCHhttps://crates.io/crates/compu-brotli-sys
- PATCHhttps://github.com/bitemyapp/brotli2-rs
- PATCHhttps://github.com/google/brotli/pull/826
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00108.html
- WEBhttps://github.com/advisories/GHSA-5v8v-66v8-mwm7
- WEBhttps://github.com/bitemyapp/brotli2-rs/issues/45
- WEBhttps://github.com/github/advisory-database/issues/785
- WEBhttps://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6
- WEBhttps://github.com/google/brotli/releases/tag/v1.0.8
- WEBhttps://github.com/google/brotli/releases/tag/v1.0.9
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/brotli/PYSEC-2020-29.yaml
- WEBhttps://github.com/timlegge/perl-IO-Compress-Brotli/blob/8b44c83b23bb4658179e1494af4b725a1bc476bc/Changes#L52
- WEBhttps://lists.debian.org/debian-lts-announce/2020/12/msg00003.html
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/356JOYTWW4BWSZ42SEFLV7NYHL3S3AEH/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TOGTZ2ZWDH662ZNFFSZVL3M5AJXV6JF/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4E265WKWKYMK2RYYSIXBEGZTDY5IQE6/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4VCDOJGL6BK3HB4XRD2WETBPYX2ITF6/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMBKACMLSRX7JJSKBTR35UOEP2WFR6QP/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQLM7ABVCYJLF6JRPF3M3EBXW63GNC27/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W23CUADGMVMQQNFKHPHXVP7RPZJZNN6I/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WW62OZEY2GHJL4JCOLJRBSRETXDHMWRK/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZXEQ3GQVELA2T4HNZG7VPMS2HDVXMJRG/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/356JOYTWW4BWSZ42SEFLV7NYHL3S3AEH
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/356JOYTWW4BWSZ42SEFLV7NYHL3S3AEH/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/4TOGTZ2ZWDH662ZNFFSZVL3M5AJXV6JF
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/J4E265WKWKYMK2RYYSIXBEGZTDY5IQE6
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/J4E265WKWKYMK2RYYSIXBEGZTDY5IQE6/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/M4VCDOJGL6BK3HB4XRD2WETBPYX2ITF6
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/M4VCDOJGL6BK3HB4XRD2WETBPYX2ITF6/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/MMBKACMLSRX7JJSKBTR35UOEP2WFR6QP
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/MMBKACMLSRX7JJSKBTR35UOEP2WFR6QP/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/MQLM7ABVCYJLF6JRPF3M3EBXW63GNC27
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/W23CUADGMVMQQNFKHPHXVP7RPZJZNN6I
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/W23CUADGMVMQQNFKHPHXVP7RPZJZNN6I/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/WW62OZEY2GHJL4JCOLJRBSRETXDHMWRK
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/WW62OZEY2GHJL4JCOLJRBSRETXDHMWRK/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/ZXEQ3GQVELA2T4HNZG7VPMS2HDVXMJRG
- WEBhttps://rustsec.org/advisories/RUSTSEC-2021-0131.html
- WEBhttps://rustsec.org/advisories/RUSTSEC-2021-0132.html
- WEBhttps://usn.ubuntu.com/4568-1
- WEBhttps://usn.ubuntu.com/4568-1/
- WEBhttps://www.debian.org/security/2020/dsa-4801