Latest netty netty Vulnerabilities

CVE-2023-44487
- Rapid Reset HTTP/2 vulnerability
Microsoft Windows 11=21H2
Microsoft Windows 11=21H2
Microsoft Windows Server 2022
Microsoft Windows Server 2022
Microsoft Windows 11=22H2
Microsoft Windows 11=22H2
and 553 more
CVE-2023-4586
Hotrod-client: hot rod client does not enable hostname validation when using tls that lead to a mitm attack
Redhat Data Grid=8.0.0
Infinispan Hot Rod
Netty Netty>=4.1.0<5.0.0
Netty Netty>=4.1.0<=4.1.99
CVE-2023-34462
netty-handler SniHandler 16MB allocation
Netty Netty<4.1.94
maven/io.netty:netty-handler<4.1.94.Final
redhat/netty<4.1.94.
debian/netty<=1:4.1.48-4+deb11u1
CVE-2022-41915
Netty is vulnerable to HTTP response splitting attacks, caused by a flaw when calling DefaultHttpHeaders.set with an iterator of values. A remote attacker could exploit this vulnerability to inject ar...
IBM Disconnected Log Collector<=v1.0 - v1.8.2
Netty Netty>=4.1.83<4.1.86
Debian Debian Linux=10.0
Debian Debian Linux=11.0
debian/netty<=1:4.1.33-1+deb10u2
ubuntu/netty<1:4.1.48-5ubuntu0.1
and 4 more
CVE-2022-41881
Netty is vulnerable to a denial of service, caused by a StackOverflowError in HAProxyMessageDecoder. By sending a specially-crafted message, a remote attacker could exploit this vulnerability to cause...
IBM Disconnected Log Collector<=v1.0 - v1.8.2
<4.1.86
=10.0
=11.0
Netty Netty<4.1.86
Debian Debian Linux=10.0
and 13 more
CVE-2022-24823
Netty could allow a local authenticated attacker to obtain sensitive information, caused by a flaw when temporary storing uploads on the disk is enabled. By gaining access to the local system temporar...
IBM Disconnected Log Collector<=v1.0 - v1.8.2
Netty Netty<4.1.77
Oracle Financial Services Crime And Compliance Management Studio=8.0.8.2.0
Oracle Financial Services Crime And Compliance Management Studio=8.0.8.3.0
Netapp Active Iq Unified Manager
Apple watchOS
and 189 more
CVE-2021-43797
### Impact Netty currently just skips control chars when these are present at the beginning / end of the header name. We should better fail fast as these are not allowed by the spec and could lead to...
redhat/eap7-netty<0:4.1.72-4.Final_redhat_00001.1.el8ea
redhat/eap7-netty<0:4.1.72-4.Final_redhat_00001.1.el7ea
redhat/candlepin<0:4.1.13-1.el7
redhat/candlepin<0:4.1.13-1.el8
redhat/rh-sso7-keycloak<0:15.0.8-1.redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:15.0.8-1.redhat_00001.1.el8
and 60 more
CVE-2021-37136
### Impact The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users o...
maven/io.netty:netty<4.0.0
maven/org.jboss.netty:netty<4.0.0
maven/io.netty:netty-codec<4.1.68.Final
Netty Netty<4.1.68
Quarkus Quarkus<2.2.4
Oracle Banking Apis>=18.1<=18.3
and 44 more
CVE-2021-37137
### Impact The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk ...
redhat/eap7-netty<0:4.1.72-4.Final_redhat_00001.1.el8ea
redhat/eap7-netty<0:4.1.72-4.Final_redhat_00001.1.el7ea
redhat/candlepin<0:4.1.15-1.el8
maven/io.netty:netty<4.0.0
maven/org.jboss.netty:netty<4.0.0
maven/io.netty:netty-codec>=4.0.0<4.1.68.Final
and 61 more
CVE-2021-21409
### Impact The content-length header is not correctly validated if the request only use a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request...
maven/io.netty:netty<4.0.0
maven/org.jboss.netty:netty<4.0.0
maven/io.netty:netty-codec-http2>=4.0.0<4.1.61.Final
redhat/qpid-proton<0:0.33.0-6.el7_9
redhat/qpid-proton<0:0.33.0-8.el8
redhat/eap7-elytron-web<0:1.6.3-1.Final_redhat_00001.1.el6ea
and 75 more
CVE-2021-21295
### Impact If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is n...
maven/io.netty:netty<4.0.0
maven/org.jboss.netty:netty<4.0.0
maven/io.netty:netty-codec-http2>=4.0.0<4.1.60.Final
redhat/qpid-proton<0:0.33.0-6.el7_9
redhat/qpid-proton<0:0.33.0-8.el8
redhat/eap7-artemis-wildfly-integration<0:1.0.4-1.redhat_00001.1.el6ea
and 78 more
CVE-2021-21290
### Impact When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. The CVSSv3.1 ...
maven/io.netty:netty<4.0.0
maven/org.jboss.netty:netty<4.0.0
maven/io.netty:netty-codec-http>=4.0.0<4.1.59.Final
redhat/qpid-proton<0:0.33.0-6.el7_9
redhat/qpid-proton<0:0.33.0-8.el8
redhat/eap7-artemis-wildfly-integration<0:1.0.4-1.redhat_00001.1.el6ea
and 91 more
CVE-2020-11612
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server...
redhat/qpid-cpp<0:1.36.0-30.el6_10a
redhat/qpid-proton<0:0.31.0-3.el6_10
redhat/qpid-cpp<0:1.36.0-30.el7a
redhat/qpid-proton<0:0.31.0-3.el7
redhat/nodejs-rhea<0:1.0.21-1.el8
redhat/qpid-cpp<0:1.39.0-5.el8a
and 72 more
CVE-2019-20444
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid...
maven/io.netty:netty<4.0.0
maven/org.jboss.netty:netty<4.0.0
maven/io.netty:netty-codec-http>=4.0.0<4.1.44
redhat/qpid-proton<0:0.30.0-4.el6_10
redhat/qpid-proton<0:0.30.0-2.el7
redhat/nodejs-rhea<0:1.0.16-1.el8
and 100 more
CVE-2019-20445
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
maven/io.netty:netty<4.0.0
maven/org.jboss.netty:netty<4.0.0
maven/io.netty:netty-handler>=4.0.0<4.1.45
redhat/qpid-proton<0:0.30.0-4.el6_10
redhat/qpid-proton<0:0.30.0-2.el7
redhat/nodejs-rhea<0:1.0.16-1.el8
and 102 more
CVE-2020-7238
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exis...
redhat/qpid-proton<0:0.30.0-4.el6_10
redhat/qpid-proton<0:0.30.0-2.el7
redhat/nodejs-rhea<0:1.0.16-1.el8
redhat/qpid-proton<0:0.30.0-3.el8
redhat/eap7-netty<0:4.1.45-1.Final_redhat_00001.1.el6ea
redhat/eap7-activemq-artemis<0:2.9.0-2.redhat_00009.1.el6ea
and 366 more
CVE-2019-16869
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
maven/io.netty:netty-all<4.1.42.Final
maven/org.jboss.netty:netty<4.0.0
debian/netty<=1:4.1.33-1<=1:4.1.7-2
redhat/eap7-apache-cxf<0:3.2.11-1.redhat_00001.1.el6ea
redhat/eap7-glassfish-jsf<0:2.3.5-6.SP3_redhat_00004.1.el6ea
redhat/eap7-hal-console<0:3.0.19-1.Final_redhat_00001.1.el6ea
and 94 more

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203