Product:

Netty

(Netty)
Repositories https://github.com/netty/netty
#Vulnerabilities 21
Date Id Summary Products Score Patch Annotated
2021-12-09 CVE-2021-43797 Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote... Debian_linux, Oncommand_workflow_automation, Snapcenter, Netty, Banking_deposits_and_lines_of_credit_servicing, Banking_party_management, Banking_platform, Coherence, Communications_cloud_native_core_binding_support_function, Communications_cloud_native_core_network_slice_selection_function, Communications_cloud_native_core_policy, Communications_cloud_native_core_security_edge_protection_proxy, Communications_cloud_native_core_unified_data_repository, Communications_design_studio, Communications_instant_messaging_server, Helidon, Peoplesoft_enterprise_peopletools, Quarkus 6.5
2022-05-06 CVE-2022-24823 Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running... Active_iq_unified_manager, Oncommand_workflow_automation, Snapcenter, Netty, Financial_services_crime_and_compliance_management_studio 5.5
2022-12-12 CVE-2022-41881 Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. Debian_linux, Netty 7.5
2022-12-13 CVE-2022-41915 Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)`... Debian_linux, Netty 6.5
2023-06-22 CVE-2023-34462 Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler`... Netty 6.5
2017-04-13 CVE-2016-4970 handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop). Cassandra, Netty, Jboss_data_grid, Jboss_middleware_text\-Only_advisories 7.5
2017-10-18 CVE-2015-2156 Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. Play_framework, Netty, Play_framework 7.5
2020-01-29 CVE-2019-20445 HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. Spark, Ubuntu_linux, Debian_linux, Fedora, Netty, Jboss_amq_clients, Jboss_enterprise_application_platform 9.1
2020-04-07 CVE-2020-11612 The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. Debian_linux, Fedora, Oncommand_api_services, Oncommand_insight, Oncommand_workflow_automation, Netty, Communications_brm_\-_elastic_charging_engine, Communications_cloud_native_core_service_communication_proxy, Communications_design_studio, Communications_messaging_server, Nosql_database, Siebel_core_\-_server_framework, Webcenter_portal 7.5
2014-05-06 CVE-2014-0193 WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames. Netty N/A