GCVE - cpe:2.3:a:facebook:fizz:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:facebook:fizz:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Facebook (`c319c35a-3469-5baa-b3bd-8582d1206a92`)
Product	Fizz (`6b20b676-487a-5197-854a-e6ce35b1cd05`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/facebookincubator/fizz`	purl2cpe	2026-06-01 10:11:42.607017
`pkg:rpm/fedora/fizz`	purl2cpe	2026-06-01 10:11:42.607021

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2023-23759`	vulnerable	2026-06-03 14:49:28.611962	Details available There is a vulnerability in the fizz library prior to v2023.01.30.00 where a CHECK failure can be triggered remotely. This behavior requires the client supported cipher advertisement changing between the original ClientHello and the second ClientHello, crashing the process (impact is limited to denial of service). Published: 2023-05-18T21:21:02.735Z Updated: 2025-01-21T20:49:35.562Z Open on db.gcve.eu Reference links https://www.facebook.com/security/advisories/cve-2023-23759 https://github.com/facebookincubator/fizz/commit/8d3649841597bedfb6986c30431ebad0eb215265	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-3560`	vulnerable	2026-06-03 14:40:26.571635	Details available An improperly performed length calculation on a buffer in PlaintextRecordLayer could lead to an infinite loop and denial-of-service based on user input. This issue affected versions of fizz prior to v2019.03.04.00. Published: 2019-04-29T00:00:00.000Z Updated: 2025-02-13T16:27:24.219Z Open on db.gcve.eu Reference links https://github.com/facebookincubator/fizz/commit/40bbb161e72fb609608d53b9d64c56bb961a6ee2 http://packetstormsecurity.com/files/172836/polkit-Authentication-Bypass.html http://packetstormsecurity.com/files/172846/Facebook-Fizz-Denial-Of-Service.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-11924`	vulnerable	2026-06-03 14:39:34.017265	Details available A peer could send empty handshake fragments containing only padding which would be kept in memory until a full handshake was received, resulting in memory exhaustion. This issue affects versions v2019.01.28.00 and above of fizz, until v2019.08.05.00. Published: 2019-08-20T19:32:10.000Z Updated: 2024-08-04T23:10:29.521Z Open on db.gcve.eu Reference links https://github.com/facebookincubator/fizz/commit/6bf67137ef1ee5cd70c842b014c322b7deaf994b https://github.com/facebookincubator/fizz/commit/3eaddb33619eaaf74a760872850c550ad8f5c52f https://www.facebook.com/security/advisories/cve-2019-11924	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.