{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2014-125026", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2022-07-29T16:08:15.703Z", "datePublished": "2022-12-27T21:13:06.589Z", "dateUpdated": "2025-04-11T23:00:46.201Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-06-12T19:03:26.399Z"}, "title": "Out-of-bounds write in github.com/cloudflare/golz4", "descriptions": [{"lang": "en", "value": "LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, which could lead to arbitrary code execution if called with untrusted user input."}], "affected": [{"vendor": "github.com/cloudflare/golz4", "product": "github.com/cloudflare/golz4", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/cloudflare/golz4", "versions": [{"version": "0", "lessThan": "0.0.0-20140711154735-199f5f787806", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "Uncompress"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 94: Improper Control of Generation of Code ('Code Injection')"}]}], "references": [{"url": "https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898"}, {"url": "https://github.com/cloudflare/golz4/issues/5"}, {"url": "https://pkg.go.dev/vuln/GO-2020-0022"}], "credits": [{"lang": "en", "value": "Yann Collet"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T14:10:56.370Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898", "tags": ["x_transferred"]}, {"url": "https://github.com/cloudflare/golz4/issues/5", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2020-0022", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-787", "lang": "en", "description": "CWE-787 Out-of-bounds Write"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-11T22:59:11.157501Z", "id": "CVE-2014-125026", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-11T23:00:46.201Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898", "tags": ["x_transferred"]}, {"url": "https://github.com/cloudflare/golz4/issues/5", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2020-0022", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T14:10:56.370Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2014-125026", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-11T22:59:11.157501Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-11T23:00:11.373Z"}}], "cna": {"title": "Out-of-bounds write in github.com/cloudflare/golz4", "credits": [{"lang": "en", "value": "Yann Collet"}], "affected": [{"vendor": "github.com/cloudflare/golz4", "product": "github.com/cloudflare/golz4", "versions": [{"status": "affected", "version": "0", "lessThan": "0.0.0-20140711154735-199f5f787806", "versionType": "semver"}], "packageName": "github.com/cloudflare/golz4", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "Uncompress"}]}], "references": [{"url": "https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898"}, {"url": "https://github.com/cloudflare/golz4/issues/5"}, {"url": "https://pkg.go.dev/vuln/GO-2020-0022"}], "descriptions": [{"lang": "en", "value": "LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, which could lead to arbitrary code execution if called with untrusted user input."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-06-12T19:03:26.399Z"}}}, "cveMetadata": {"cveId": "CVE-2014-125026", "state": "PUBLISHED", "dateUpdated": "2025-04-11T23:00:46.201Z", "dateReserved": "2022-07-29T16:08:15.703Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2022-12-27T21:13:06.589Z", "assignerShortName": "Go"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:golz4:*:*:*:*:*:go:*:*", "matchCriteriaId": "CF7258F9-47C1-4E63-A1FD-5BB5378558BA", "versionEndExcluding": "2014-07-11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, which could lead to arbitrary code execution if called with untrusted user input."}, {"lang": "es", "value": "Los enlaces LZ4 utilizan una API C obsoleta que es vulnerable a la corrupci\u00f3n de la memoria, lo que podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo arbitrario si se llama con entradas de usuarios que no son de confianza."}], "id": "CVE-2014-125026", "lastModified": "2025-04-11T23:15:25.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-12-27T22:15:10.883", "references": [{"source": "security@golang.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898"}, {"source": "security@golang.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/cloudflare/golz4/issues/5"}, {"source": "security@golang.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2020-0022"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/cloudflare/golz4/issues/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2020-0022"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "golz4: memory corruption vulnerability in golz4", "id": "2156869", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156869"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, which could lead to arbitrary code execution if called with untrusted user input.", "A flaw was found in the golz4 package. LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, which could lead to arbitrary code execution if called with untrusted user input."], "name": "CVE-2014-125026", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "moderate", "package_name": "openshift4/ose-baremetal-installer-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "moderate", "package_name": "openshift4/ose-installer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "moderate", "package_name": "openshift4/ose-installer-artifacts", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2022-12-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-125026\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-125026"], "statement": "The golz4 is a transitive dependency in OpenShift. Hence, the impact for Red Hat OpenShift Container Platform 4 is lowered to moderate.", "threat_severity": "Critical"}