Skip to content

netty-all-4.1.60.Final.jar: 3 vulnerabilities (highest severity is: 7.4) #4

Open
Open
netty-all-4.1.60.Final.jar: 3 vulnerabilities (highest severity is: 7.4)#4
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@dev-mend-for-github-com

Description

@dev-mend-for-github-com
dev-mend-for-github-com
bot
opened on Jun 25, 2023
Vulnerable Library - netty-all-4.1.60.Final.jar

Library home page: https://netty.io/

Found in HEAD commit: 5437b2e1b38e4a7c4e15e85b48970db0be44a7fd

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (netty-all version) Remediation Possible**
WS-2020-0408 High 7.4 netty-all-4.1.60.Final.jar Direct 4.1.69.Final
CVE-2021-43797 Medium 6.5 netty-all-4.1.60.Final.jar Direct 4.1.71.Final
CVE-2021-21409 Medium 5.9 netty-all-4.1.60.Final.jar Direct 4.1.61.Final

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2020-0408

Vulnerable Library - netty-all-4.1.60.Final.jar

Library home page: https://netty.io/

Dependency Hierarchy:

  • netty-all-4.1.60.Final.jar (Vulnerable Library)

Found in HEAD commit: 5437b2e1b38e4a7c4e15e85b48970db0be44a7fd

Found in base branch: main

Vulnerability Details

An issue was found in all versions of io.netty:netty-all. Host verification in Netty is disabled by default. This can lead to MITM attack in which an attacker can forge valid SSL/TLS certificates for a different hostname in order to intercept traffic that doesn’t intend for him. This is an issue because the certificate is not matched with the host.

Publish Date: 2020-06-22

URL: WS-2020-0408

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0408

Release Date: 2020-06-22

Fix Resolution: 4.1.69.Final

CVE-2021-43797

Vulnerable Library - netty-all-4.1.60.Final.jar

Library home page: https://netty.io/

Dependency Hierarchy:

  • netty-all-4.1.60.Final.jar (Vulnerable Library)

Found in HEAD commit: 5437b2e1b38e4a7c4e15e85b48970db0be44a7fd

Found in base branch: main

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
Mend Note: After conducting further research, Mend has determined that all versions of netty up to version 4.1.71.Final are vulnerable to CVE-2021-43797.

Publish Date: 2021-12-09

URL: CVE-2021-43797

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: CVE-2021-43797

Release Date: 2021-12-09

Fix Resolution: 4.1.71.Final

CVE-2021-21409

Vulnerable Library - netty-all-4.1.60.Final.jar

Library home page: https://netty.io/

Dependency Hierarchy:

  • netty-all-4.1.60.Final.jar (Vulnerable Library)

Found in HEAD commit: 5437b2e1b38e4a7c4e15e85b48970db0be44a7fd

Found in base branch: main

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Publish Date: 2021-03-30

URL: CVE-2021-21409

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f256-j965-7f32

Release Date: 2021-03-30

Fix Resolution: 4.1.61.Final

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions