MidnightBSD

Advisories for netty

CVE-2014-0193 MEDIUM

WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
netty netty 3.6.7
netty netty 4.0.8
netty netty 3.6.2
netty netty 3.6.3
netty netty 3.8.1
netty netty 4.0.10
netty netty 3.6.0
netty netty 4.0.9
netty netty 3.9.0
netty netty 4.0.16
netty netty 4.0.1
netty netty 3.6.6
netty netty 4.0.4
netty netty 3.6.5
netty netty 4.0.13
netty netty 4.0.5
netty netty 3.6.8
netty netty 3.6.4
netty netty 4.0.11
netty netty 4.0.12
netty netty 4.0.18
netty netty 3.6.1
netty netty 4.0.2
netty netty 4.0.3
netty netty 4.0.15
netty netty 4.0.6
netty netty 4.0.7
netty netty 4.0.17
netty netty 4.0.14
netty netty 3.8.0
netty netty 3.7.0
netty netty 4.0.0
CVE-2014-3488 MEDIUM

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
netty netty 3.6.8
netty netty *
netty netty 3.6.7
netty netty 3.6.2
netty netty 3.6.3
netty netty 3.6.4
netty netty 3.8.1
netty netty 3.6.0
netty netty 3.9.0
netty netty 3.6.1
netty netty 3.6.6
netty netty 3.8.0
netty netty 3.7.0
netty netty 3.6.5
netty netty 3.9.1
CVE-2015-2156 MEDIUM

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
lightbend play_framework 2.3.5
lightbend play_framework 2.0.2
lightbend play_framework 2.0.5
lightbend play_framework 2.2.6
netty netty 4.0.24
playframework play_framework 2.2.3
netty netty 4.0.9
netty netty 4.0.21
lightbend play_framework 2.0
playframework play_framework 2.1.3
playframework play_framework 2.0
lightbend play_framework 2.0.3
netty netty 4.0.1
playframework play_framework 2.3
lightbend play_framework 2.3.4
lightbend play_framework 2.0.6
lightbend play_framework 2.2.0
netty netty 4.0.5
lightbend play_framework 2.3.6
netty netty 4.0.26
netty netty 4.0.23
netty netty 4.0.11
netty netty 4.0.18
netty netty 3.10.2
netty netty 3.10.1
lightbend play_framework 2.1.0
playframework play_framework 2.1.4
playframework play_framework 2.2.2
netty netty 4.0.2
playframework play_framework 2.2.0
netty netty 4.0.22
netty netty 4.0.3
playframework play_framework 2.0.1
netty netty 3.10.0
lightbend play_framework 2.2.1
netty netty 4.1.0
netty netty *
netty netty 4.0.8
lightbend play_framework 2.3.3
netty netty 4.0.10
lightbend play_framework 2.0.7
lightbend play_framework 2.3.1
lightbend play_framework 2.3.2
netty netty 4.0.27
playframework play_framework 2.2.1
lightbend play_framework 2.1.1
playframework play_framework 2.1.5
netty netty 4.0.16
lightbend play_framework 2.0.4
netty netty 4.0.4
netty netty 4.0.13
playframework play_framework 2.1.1
netty netty 4.0.19
lightbend play_framework 2.2.2
lightbend play_framework 2.3.7
playframework play_framework 2.2.5
lightbend play_framework 2.0.8
lightbend play_framework 2.3.0
netty netty 4.0.12
netty netty 4.0.25
lightbend play_framework 2.3.8
playframework play_framework 2.1.6
netty netty 4.0.20
netty netty 4.0.15
netty netty 4.0.6
netty netty 4.0.7
netty netty 4.0.17
netty netty 4.0.14
playframework play_framework 2.2.4
netty netty 4.0.0
playframework play_framework 2.1.2
CVE-2016-4970 HIGH

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-835,

Products Affected

Vendor Product Version
netty netty *
redhat jboss_middleware_text-only_advisories 1.0
redhat jboss_data_grid 7.1
apache cassandra 3.11.4
CVE-2019-16869 MEDIUM

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,

Products Affected

Vendor Product Version
netty netty *
redhat jboss_enterprise_application_platform 7.4
debian debian_linux 9.0
canonical ubuntu_linux 18.04
redhat jboss_enterprise_application_platform 7.3
redhat jboss_enterprise_application_platform 7.2
debian debian_linux 10.0
debian debian_linux 8.0
CVE-2019-20444 MEDIUM

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,

Products Affected

Vendor Product Version
netty netty *
redhat jboss_amq_clients 2
fedoraproject fedora 33
debian debian_linux 9.0
canonical ubuntu_linux 18.04
redhat jboss_enterprise_application_platform 7.3
redhat jboss_enterprise_application_platform 7.2
debian debian_linux 10.0
debian debian_linux 8.0
CVE-2019-20445 MEDIUM

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,

Products Affected

Vendor Product Version
netty netty *
apache spark 2.4.8
redhat jboss_amq_clients 2
apache spark 2.4.7
fedoraproject fedora 33
debian debian_linux 9.0
canonical ubuntu_linux 18.04
redhat jboss_enterprise_application_platform 7.3
redhat jboss_enterprise_application_platform 7.2
debian debian_linux 10.0
debian debian_linux 8.0
CVE-2020-11612 MEDIUM

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
oracle nosql_database *
netty netty *
oracle communications_cloud_native_core_service_communication_proxy 1.5.2
oracle communications_brm_-_elastic_charging_engine 12.0.0.3
netapp oncommand_api_services -
oracle siebel_core_-_server_framework *
debian debian_linux 10.0
oracle communications_messaging_server 8.1
oracle communications_design_studio 7.4.2
netapp oncommand_workflow_automation -
oracle webcenter_portal 12.2.1.3.0
oracle webcenter_portal 12.2.1.4.0
netapp oncommand_insight -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2020-7238 MEDIUM

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,

Products Affected

Vendor Product Version
netty netty 4.1.43
redhat jboss_enterprise_application_platform 7.4
fedoraproject fedora 33
debian debian_linux 9.0
redhat jboss_enterprise_application_platform 7.3
redhat jboss_enterprise_application_platform 7.2
redhat openshift_application_runtimes_text-only_advisories -
debian debian_linux 10.0
redhat jboss_enterprise_application_platform_text-only_advisories -
debian debian_linux 8.0
CVE-2021-21290 LOW

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6
security-advisories@github.com 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 2.5 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-378,CWE-379,CWE-668,

Products Affected

Vendor Product Version
oracle nosql_database *
netty netty *
oracle banking_corporate_lending_process_management 14.3.0
oracle communications_brm_-_elastic_charging_engine 12.0.0.3
oracle banking_trade_finance_process_management 14.2.0
quarkus quarkus *
netapp cloud_secure_agent -
oracle banking_corporate_lending_process_management 14.2.0
oracle banking_trade_finance_process_management 14.5.0
debian debian_linux 10.0
oracle communications_messaging_server 8.1
oracle communications_design_studio 7.4.2
oracle banking_credit_facilities_process_management 14.5.0
oracle banking_trade_finance_process_management 14.3.0
debian debian_linux 9.0
netapp snapcenter -
oracle banking_corporate_lending_process_management 14.5.0
netapp active_iq_unified_manager -
oracle banking_credit_facilities_process_management 14.3.0
oracle banking_credit_facilities_process_management 14.2.0
CVE-2021-21295 LOW

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
netty netty *
quarkus quarkus *
netapp oncommand_api_services -
apache kudu *
apache zookeeper 3.5.9
debian debian_linux 10.0
netapp oncommand_workflow_automation -
oracle communications_cloud_native_core_policy 1.14.0
CVE-2021-21409 MEDIUM

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
oracle nosql_database *
netty netty *
oracle communications_brm_-_elastic_charging_engine 12.0.0.3
oracle banking_trade_finance_process_management 14.2.0
quarkus quarkus *
netapp oncommand_api_services -
oracle banking_corporate_lending_process_management 14.2.0
oracle communications_messaging_server 8.1
netapp oncommand_workflow_automation -
oracle helidon 1.4.10
oracle communications_cloud_native_core_console 1.7.0
oracle coherence 12.2.1.4.0
oracle banking_credit_facilities_process_management 14.3.0
oracle banking_credit_facilities_process_management 14.2.0
oracle banking_corporate_lending_process_management 14.3.0
oracle banking_trade_finance_process_management 14.5.0
debian debian_linux 10.0
oracle helidon 2.4.0
oracle communications_design_studio 7.4.2.0.0
oracle communications_cloud_native_core_policy 1.14.0
oracle banking_credit_facilities_process_management 14.5.0
oracle banking_trade_finance_process_management 14.3.0
oracle coherence 14.1.1.0.0
oracle jd_edwards_enterpriseone_tools *
oracle banking_corporate_lending_process_management 14.5.0
oracle primavera_gateway *
CVE-2021-37136 MEDIUM

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
netty netty *
debian debian_linux 11.0
oracle communications_cloud_native_core_unified_data_repository 1.15.0
oracle communications_cloud_native_core_policy 1.15.0
oracle banking_digital_experience 18.2
quarkus quarkus *
oracle peoplesoft_enterprise_peopletools 8.48
oracle banking_apis 21.1
oracle communications_diameter_signaling_router *
oracle banking_digital_experience 20.1
oracle webcenter_portal 12.2.1.4.0
netapp oncommand_insight -
oracle banking_apis 20.1
oracle peoplesoft_enterprise_peopletools 8.58
oracle helidon 1.4.10
oracle commerce_guided_search 11.3.2
oracle banking_digital_experience 21.1
oracle coherence 12.2.1.4.0
oracle banking_digital_experience 18.3
oracle banking_digital_experience 19.2
oracle peoplesoft_enterprise_peopletools 8.57
oracle communications_cloud_native_core_security_edge_protection_proxy 1.7.0
oracle banking_apis 19.1
oracle banking_apis 19.2
debian debian_linux 10.0
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_brm_-_elastic_charging_engine 12
oracle helidon 2.4.0
oracle webcenter_portal 12.2.1.3.0
oracle communications_instant_messaging_server 8.1
oracle communications_cloud_native_core_binding_support_function 1.11.0
oracle banking_digital_experience 19.1
oracle coherence 14.1.1.0.0
oracle communications_brm_-_elastic_charging_engine *
oracle peoplesoft_enterprise_peopletools 8.59
oracle banking_apis *
oracle banking_digital_experience 18.1
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
CVE-2021-37137 MEDIUM

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
netty netty *
debian debian_linux 11.0
oracle banking_digital_experience 18.2
quarkus quarkus *
oracle banking_apis 21.1
oracle communications_diameter_signaling_router *
oracle banking_digital_experience 20.1
oracle communications_brm_-_elastic_charging_engine 12.0.0.5.0
oracle webcenter_portal 12.2.1.4.0
netapp oncommand_insight -
oracle banking_apis 20.1
oracle peoplesoft_enterprise_peopletools 8.58
oracle commerce_guided_search 11.3.2
oracle banking_digital_experience 21.1
oracle banking_digital_experience 18.3
oracle banking_digital_experience 19.2
oracle peoplesoft_enterprise_peopletools 8.57
oracle banking_apis 19.1
oracle banking_apis 19.2
debian debian_linux 10.0
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle webcenter_portal 12.2.1.3.0
oracle banking_digital_experience 19.1
oracle communications_brm_-_elastic_charging_engine *
oracle peoplesoft_enterprise_peopletools 8.59
oracle banking_apis *
oracle banking_digital_experience 18.1
CVE-2021-43797 MEDIUM

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_security_edge_protection_proxy 1.7.0
netty netty *
debian debian_linux 11.0
oracle communications_cloud_native_core_unified_data_repository 1.15.0
oracle communications_cloud_native_core_policy 1.15.0
quarkus quarkus *
oracle banking_deposits_and_lines_of_credit_servicing 2.7
debian debian_linux 10.0
oracle helidon 2.4.0
oracle communications_design_studio 7.4.2
netapp oncommand_workflow_automation -
oracle banking_party_management 2.7.0
oracle banking_platform 2.6.2
oracle communications_instant_messaging_server 8.1
oracle communications_cloud_native_core_binding_support_function 1.11.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle helidon 1.4.10
oracle coherence 14.1.1.0.0
oracle peoplesoft_enterprise_peopletools 8.59
oracle coherence 12.2.1.4.0
netapp snapcenter -
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
CVE-2022-24823 LOW

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

CVSS 2.0

Severity: LOW

Problem Type: CWE-378,CWE-379,CWE-668,CWE-668,

Products Affected

Vendor Product Version
netty netty *
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
netapp snapcenter -
netapp oncommand_workflow_automation -
netapp active_iq_unified_manager -
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
CVE-2022-41881

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netty netty *
debian debian_linux 11.0
debian debian_linux 10.0
CVE-2022-41915

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
netty netty *
debian debian_linux 11.0
debian debian_linux 10.0
CVE-2023-34462

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netty netty *
CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
jenkins jenkins *
redhat build_of_quarkus -
f5 big-ip_websafe 17.1.0
f5 big-ip_global_traffic_manager *
cisco ios_xe *
f5 big-ip_advanced_firewall_manager *
ietf http 2.0
f5 big-ip_ssl_orchestrator 17.1.0
redhat fence_agents_remediation_operator -
redhat integration_camel_k -
nodejs node.js *
apache tomcat *
dena h2o *
traefik traefik 3.0.0
microsoft windows_11_22h2 *
f5 big-ip_application_security_manager *
cisco connected_mobile_experiences *
microsoft windows_10_1809 *
fedoraproject fedora 37
redhat build_of_optaplanner 8.0
redhat advanced_cluster_security 4.0
microsoft visual_studio_2022 *
varnish_cache_project varnish_cache *
grpc grpc 1.57.0
redhat openshift_serverless -
linkerd linkerd 2.13.1
akka http_server *
apple swiftnio_http/2 *
redhat migration_toolkit_for_containers -
apache tomcat 11.0.0
redhat logging_subsystem_for_red_hat_openshift -
redhat web_terminal -
redhat node_maintenance_operator -
f5 big-ip_advanced_web_application_firewall 17.1.0
redhat advanced_cluster_security 3.0
apache apisix *
golang http2 *
microsoft windows_server_2019 -
cisco expressway *
linkerd linkerd 2.13.0
redhat openshift_api_for_data_protection -
redhat self_node_remediation_operator -
redhat openstack_platform 16.1
cisco crosswork_zero_touch_provisioning *
f5 big-ip_domain_name_system *
facebook proxygen *
debian debian_linux 11.0
caddyserver caddy *
microsoft cbl-mariner *
cisco unified_contact_center_domain_manager -
f5 big-ip_application_security_manager 17.1.0
microsoft windows_server_2016 -
redhat openshift_service_mesh 2.0
netapp oncommand_insight -
f5 big-ip_global_traffic_manager 17.1.0
redhat run_once_duration_override_operator -
redhat cost_management -
f5 big-ip_analytics *
linecorp armeria *
cisco secure_malware_analytics *
cisco telepresence_video_communication_server *
redhat openshift_data_science -
microsoft .net *
redhat openshift_distributed_tracing -
cisco enterprise_chat_and_email -
f5 big-ip_application_acceleration_manager 17.1.0
f5 big-ip_local_traffic_manager 17.1.0
redhat node_healthcheck_operator -
projectcontour contour *
redhat single_sign-on 7.0
cisco iot_field_network_director *
cisco crosswork_situation_manager -
f5 big-ip_websafe *
grpc grpc *
redhat openstack_platform 17.1
f5 big-ip_next 20.0.1
redhat service_telemetry_framework 1.5
f5 big-ip_policy_enforcement_manager 17.1.0
redhat integration_service_registry -
linkerd linkerd 2.14.0
f5 big-ip_access_policy_manager 17.1.0
f5 big-ip_analytics 17.1.0
envoyproxy envoy 1.26.4
cisco prime_network_registrar *
redhat decision_manager 7.0
envoyproxy envoy 1.27.0
redhat certification_for_red_hat_enterprise_linux 8.0
redhat openshift_container_platform 4.0
microsoft windows_10_22h2 *
cisco unified_contact_center_enterprise_-_live_data_server *
cisco crosswork_data_gateway *
redhat jboss_a-mq 7
redhat ansible_automation_platform 2.0
redhat cryostat 2.0
nghttp2 nghttp2 *
cisco prime_infrastructure *
eclipse jetty *
redhat openshift_container_platform_assisted_installer -
redhat satellite 6.0
golang go *
redhat jboss_enterprise_application_platform 7.0.0
redhat jboss_fuse 7.0.0
redhat openshift_gitops -
redhat enterprise_linux 8.0
redhat openstack_platform 16.2
cisco nx-os *
f5 big-ip_fraud_protection_service 17.1.0
redhat jboss_core_services -
redhat jboss_fuse 6.0.0
redhat jboss_enterprise_application_platform 6.0.0
cisco ultra_cloud_core_-_session_management_function *
f5 big-ip_link_controller 17.1.0
redhat openshift -
envoyproxy envoy 1.25.9
redhat jboss_a-mq_streams -
cisco ultra_cloud_core_-_policy_control_function *
konghq kong_gateway *
f5 big-ip_domain_name_system 17.1.0
f5 big-ip_local_traffic_manager *
redhat certification_for_red_hat_enterprise_linux 9.0
netty netty *
f5 big-ip_ssl_orchestrator *
redhat network_observability_operator -
f5 big-ip_webaccelerator *
redhat cert-manager_operator_for_red_hat_openshift -
redhat service_interconnect 1.0
microsoft windows_10_21h2 *
redhat openshift_developer_tools_and_services -
f5 big-ip_next_service_proxy_for_kubernetes *
redhat openshift_virtualization 4
f5 nginx_plus r30
f5 nginx *
cisco unified_contact_center_enterprise -
f5 big-ip_access_policy_manager *
f5 big-ip_policy_enforcement_manager *
microsoft asp.net_core *
istio istio *
redhat advanced_cluster_management_for_kubernetes 2.0
cisco prime_cable_provisioning *
redhat ceph_storage 5.0
redhat migration_toolkit_for_applications 6.0
f5 nginx_ingress_controller *
redhat jboss_data_grid 7.0.0
amazon opensearch_data_prepper *
debian debian_linux 12.0
f5 big-ip_carrier-grade_nat 17.1.0
apache traffic_server *
redhat process_automation 7.0
cisco business_process_automation *
fedoraproject fedora 38
f5 big-ip_application_visibility_and_reporting *
openresty openresty *
f5 nginx_plus r29
redhat enterprise_linux 6.0
redhat enterprise_linux 9.0
f5 nginx_plus *
cisco fog_director *
f5 big-ip_advanced_web_application_firewall *
golang networking *
f5 big-ip_advanced_firewall_manager 17.1.0
f5 big-ip_link_controller *
redhat support_for_spring_boot -
f5 big-ip_fraud_protection_service *
f5 big-ip_ddos_hybrid_defender *
cisco firepower_threat_defense *
netapp astra_control_center -
f5 big-ip_webaccelerator 17.1.0
envoyproxy envoy 1.24.10
cisco secure_dynamic_attributes_connector *
redhat openshift_sandboxed_containers -
f5 big-ip_carrier-grade_nat *
debian debian_linux 10.0
cisco secure_web_appliance_firmware *
cisco ultra_cloud_core_-_policy_control_function 2024.01.0
cisco unified_attendant_console_advanced -
redhat openshift_pipelines -
cisco unified_contact_center_management_portal -
microsoft windows_11_21h2 *
apache solr *
cisco ultra_cloud_core_-_serving_gateway_function *
kazu-yamamoto http2 *
linkerd linkerd *
redhat 3scale_api_management_platform 2.0
redhat openshift_dev_spaces -
f5 big-ip_application_acceleration_manager *
f5 big-ip_ddos_hybrid_defender 17.1.0
cisco data_center_network_manager -
f5 big-ip_application_visibility_and_reporting 17.1.0
microsoft windows_10_1607 *
cisco prime_access_registrar *
redhat quay 3.0.0
linkerd linkerd 2.14.1
traefik traefik *
microsoft azure_kubernetes_service *
redhat integration_camel_for_spring_boot -
cisco ios_xr *
redhat migration_toolkit_for_virtualization -
cisco crosswork_data_gateway 5.0
microsoft windows_server_2022 -
redhat machine_deletion_remediation_operator -
redhat openshift_secondary_scheduler_operator -
CVE-2024-29025

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
netty netty *
debian debian_linux 10.0
CVE-2024-36121

netty-incubator-codec-ohttp is the OHTTP implementation for netty. BoringSSLAEADContext keeps track of how many OHTTP responses have been sent and uses this sequence number to calculate the appropriate nonce to use with the encryption algorithm. Unfortunately, two separate errors combine which would allow an attacker to cause the sequence number to overflow and thus the nonce to repeat.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N 1.6 4.2

Products Affected

Vendor Product Version
netty netty-incubator-codec-ohttp *
CVE-2024-40642

The netty incubator codec.bhttp is a java language binary http parser. In affected versions the `BinaryHttpParser` class does not properly validate input values thus giving attackers almost complete control over the HTTP requests constructed from the parsed output. Attackers can abuse several issues individually to perform various injection attacks including HTTP request smuggling, desync attacks, HTTP header injections, request queue poisoning, caching attacks and Server Side Request Forgery (SSRF). Attacker could also combine several issues to create well-formed messages for other text-based protocols which may result in attacks beyond the HTTP protocol. The BinaryHttpParser class implements the readRequestHead method which performs most of the relevant parsing of the received request. The data structure prefixes values with a variable length integer value. The parsing code below first gets the lengths of the values from the prefixed variable length integer. After it has all of the lengths and calculates all of the indices, the parser casts the applicable slices of the ByteBuf to String. Finally, it passes these values into a new `DefaultBinaryHttpRequest` object where no further parsing or validation occurs. Method is partially validated while other values are not validated at all. Software that relies on netty to apply input validation for binary HTTP data may be vulnerable to various injection and protocol based attacks. This issue has been addressed in version 0.0.13.Final. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
netty netty-incubator-codec-ohttp *
CVE-2024-47535

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
netty netty *
CVE-2025-24970

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
netty netty *
netapp active_iq_unified_manager -
CVE-2025-25193

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
netty netty *
CVE-2025-55163

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netty netty *
CVE-2025-58056

Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
netty netty *
CVE-2025-58057

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netty netty *
CVE-2025-67735

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
netty netty *
CVE-2026-33870

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
netty netty *
CVE-2026-33871

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netty netty *