rpm package
opensuse/netty&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/netty&distro=openSUSE%20Tumbleweed
Vulnerabilities (53)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-29025 | Med | 5.3 | < 4.1.114-1.1 | 4.1.114-1.1 | Mar 25, 2024 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, t | |
| CVE-2023-44487 | Hig | 7.5 | KEV | < 4.1.114-1.1 | 4.1.114-1.1 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-34462 | Med | 6.5 | < 4.1.114-1.1 | 4.1.114-1.1 | Jun 22, 2023 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does | |
| CVE-2022-41915 | Med | 6.5 | < 4.1.114-1.1 | 4.1.114-1.1 | Dec 13, 2022 | Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values | |
| CVE-2022-41881 | Med | 5.3 | < 4.1.114-1.1 | 4.1.114-1.1 | Dec 12, 2022 | Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no wor | |
| CVE-2022-24823 | Med | 5.5 | < 4.1.114-1.1 | 4.1.114-1.1 | May 6, 2022 | Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur | |
| CVE-2021-43797 | Med | 6.5 | < 4.1.72-1.1 | 4.1.72-1.1 | Dec 9, 2021 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It shoul | |
| CVE-2021-37137 | Hig | 7.5 | < 4.1.114-1.1 | 4.1.114-1.1 | Oct 19, 2021 | The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be tr | |
| CVE-2021-37136 | Hig | 7.5 | < 4.1.114-1.1 | 4.1.114-1.1 | Oct 19, 2021 | The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack | |
| CVE-2021-21409 | Med | 5.9 | < 4.1.114-1.1 | 4.1.114-1.1 | Mar 30, 2021 | Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smug | |
| CVE-2021-21295 | Med | 5.9 | < 4.1.60-1.4 | 4.1.60-1.4 | Mar 9, 2021 | Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smug | |
| CVE-2021-21290 | Med | 6.2 | < 4.1.60-1.4 | 4.1.60-1.4 | Feb 8, 2021 | Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. | |
| CVE-2020-11612 | Hig | 7.5 | < 4.1.60-1.4 | 4.1.60-1.4 | Apr 7, 2020 | The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. |
- affected < 4.1.114-1.1fixed 4.1.114-1.1
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, t
- affected < 4.1.114-1.1fixed 4.1.114-1.1
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- affected < 4.1.114-1.1fixed 4.1.114-1.1
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does
- affected < 4.1.114-1.1fixed 4.1.114-1.1
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values
- affected < 4.1.114-1.1fixed 4.1.114-1.1
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no wor
- affected < 4.1.114-1.1fixed 4.1.114-1.1
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur
- affected < 4.1.72-1.1fixed 4.1.72-1.1
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It shoul
- affected < 4.1.114-1.1fixed 4.1.114-1.1
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be tr
- affected < 4.1.114-1.1fixed 4.1.114-1.1
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
- affected < 4.1.114-1.1fixed 4.1.114-1.1
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smug
- affected < 4.1.60-1.4fixed 4.1.60-1.4
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smug
- affected < 4.1.60-1.4fixed 4.1.60-1.4
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file.
- affected < 4.1.60-1.4fixed 4.1.60-1.4
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
Page 3 of 3