CVE-2023-3635: 
Java vulnerability analysis and mitigation

GzipSource in SquareUp Okio prior to version 3.4.0 contains a vulnerability where it does not handle an exception that might be raised when parsing a malformed gzip buffer. The vulnerability was assigned CVE-2023-3635 and was discovered in July 2023. The affected software includes all versions of Okio before 3.4.0 (NVD).

The vulnerability stems from improper exception handling in the GzipSource class when parsing malformed gzip buffers. The issue specifically relates to how the code treats short values as unsigned when they should have been treated as signed. The vulnerability has a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, GitHub Patch).

The vulnerability can lead to a denial of service (DoS) condition of the Okio client when handling a crafted GZIP archive. This affects the availability of systems using the vulnerable versions of the Okio library (NVD).

The recommended mitigation is to upgrade to Okio version 3.4.0 or later, which contains the fix for this vulnerability. The fix involves correcting how the code handles short values in the GzipSource class (GitHub Patch).