Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2025-1459
Vulnerability from csaf_certbund
Published
2025-07-03 22:00
Modified
2025-07-03 22:00
Summary
Dell Data Protection Advisor: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Data Protection Advisor ist eine Monitoring Lösung. Der Collector ist der lokale Agent.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Dell Data Protection Advisor ausnutzen, um beliebigen Programmcode auszuführen, um einen Denial of Service Angriff durchzuführen, und um weitere nicht näher spezifizierte Angriffe durchzuführen.
Betroffene Betriebssysteme
- Linux
- Sonstiges
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Data Protection Advisor ist eine Monitoring L\u00f6sung. Der Collector ist der lokale Agent.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in Dell Data Protection Advisor ausnutzen, um beliebigen Programmcode auszuf\u00fchren, um einen Denial of Service Angriff durchzuf\u00fchren, und um weitere nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1459 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1459.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1459 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1459"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2025-276 vom 2025-07-03",
"url": "https://www.dell.com/support/kbdoc/000340538"
}
],
"source_lang": "en-US",
"title": "Dell Data Protection Advisor: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-07-03T22:00:00.000+00:00",
"generator": {
"date": "2025-07-04T08:09:43.042+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-1459",
"initial_release_date": "2025-07-03T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-07-03T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c19.12 SP 1",
"product": {
"name": "Dell Data Protection Advisor \u003c19.12 SP 1",
"product_id": "T045044"
}
},
{
"category": "product_version",
"name": "19.12 SP 1",
"product": {
"name": "Dell Data Protection Advisor 19.12 SP 1",
"product_id": "T045044-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:dell:data_protection_advisor:19.12_sp_1"
}
}
}
],
"category": "product_name",
"name": "Data Protection Advisor"
}
],
"category": "vendor",
"name": "Dell"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2013-0340",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2013-0340"
},
{
"cve": "CVE-2013-1624",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2013-1624"
},
{
"cve": "CVE-2014-3577",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2014-3577"
},
{
"cve": "CVE-2015-3193",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2015-3193"
},
{
"cve": "CVE-2015-3194",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2015-3194"
},
{
"cve": "CVE-2015-5262",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2015-5262"
},
{
"cve": "CVE-2016-0705",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2016-0705"
},
{
"cve": "CVE-2016-0797",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2016-0797"
},
{
"cve": "CVE-2016-0798",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2016-0798"
},
{
"cve": "CVE-2016-0799",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2016-0799"
},
{
"cve": "CVE-2016-2842",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2016-2842"
},
{
"cve": "CVE-2016-6306",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2016-6306"
},
{
"cve": "CVE-2017-3731",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2017-3731"
},
{
"cve": "CVE-2017-3732",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2017-3732"
},
{
"cve": "CVE-2018-5968",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2018-5968"
},
{
"cve": "CVE-2018-7489",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2018-7489"
},
{
"cve": "CVE-2019-16869",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2019-16869"
},
{
"cve": "CVE-2019-20444",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2019-20444"
},
{
"cve": "CVE-2019-20445",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2019-20445"
},
{
"cve": "CVE-2020-10683",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2020-10683"
},
{
"cve": "CVE-2020-11023",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2020-11023"
},
{
"cve": "CVE-2020-11612",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2020-11612"
},
{
"cve": "CVE-2020-25649",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2020-25649"
},
{
"cve": "CVE-2020-36518",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2020-36518"
},
{
"cve": "CVE-2021-21290",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-21290"
},
{
"cve": "CVE-2021-21295",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-21295"
},
{
"cve": "CVE-2021-21409",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-21409"
},
{
"cve": "CVE-2021-22696",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-22696"
},
{
"cve": "CVE-2021-30468",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-30468"
},
{
"cve": "CVE-2021-3597",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-3597"
},
{
"cve": "CVE-2021-3629",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-3629"
},
{
"cve": "CVE-2021-3690",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-3690"
},
{
"cve": "CVE-2021-3711",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-3711"
},
{
"cve": "CVE-2021-37136",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-37136"
},
{
"cve": "CVE-2021-37137",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-37137"
},
{
"cve": "CVE-2021-3859",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-3859"
},
{
"cve": "CVE-2021-40690",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-40690"
},
{
"cve": "CVE-2021-43797",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-43797"
},
{
"cve": "CVE-2021-46877",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2021-46877"
},
{
"cve": "CVE-2022-1259",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2022-1259"
},
{
"cve": "CVE-2022-1319",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2022-1319"
},
{
"cve": "CVE-2022-2053",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2022-2053"
},
{
"cve": "CVE-2022-24823",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2022-24823"
},
{
"cve": "CVE-2022-2764",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2022-2764"
},
{
"cve": "CVE-2022-40152",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2022-40152"
},
{
"cve": "CVE-2022-41881",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2022-41881"
},
{
"cve": "CVE-2022-42003",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2022-42003"
},
{
"cve": "CVE-2022-42004",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2022-42004"
},
{
"cve": "CVE-2022-46363",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2022-46363"
},
{
"cve": "CVE-2022-46364",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2022-46364"
},
{
"cve": "CVE-2022-46908",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2022-46908"
},
{
"cve": "CVE-2023-0482",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2023-0482"
},
{
"cve": "CVE-2023-1108",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2023-1108"
},
{
"cve": "CVE-2023-3223",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2023-3223"
},
{
"cve": "CVE-2023-34462",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2023-34462"
},
{
"cve": "CVE-2023-44483",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2023-44483"
},
{
"cve": "CVE-2024-1459",
"product_status": {
"known_affected": [
"T045044"
]
},
"release_date": "2025-07-03T22:00:00.000+00:00",
"title": "CVE-2024-1459"
}
]
}
CVE-2018-5968 (GCVE-0-2018-5968)
Vulnerability from cvelistv5
Published
2018-01-22 04:00
Modified
2024-08-05 05:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:47:56.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2018:0479",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0479"
},
{
"name": "RHSA-2018:0481",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0481"
},
{
"name": "RHSA-2018:1525",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1525"
},
{
"name": "RHSA-2018:0480",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0480"
},
{
"name": "DSA-4114",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4114"
},
{
"name": "RHSA-2018:0478",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0478"
},
{
"name": "RHSA-2019:2858",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"name": "RHSA-2019:3149",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180423-0002/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/1899"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-20T21:14:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "RHSA-2018:0479",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0479"
},
{
"name": "RHSA-2018:0481",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0481"
},
{
"name": "RHSA-2018:1525",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1525"
},
{
"name": "RHSA-2018:0480",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0480"
},
{
"name": "DSA-4114",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4114"
},
{
"name": "RHSA-2018:0478",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0478"
},
{
"name": "RHSA-2019:2858",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"name": "RHSA-2019:3149",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180423-0002/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/1899"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-5968",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2018:0479",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0479"
},
{
"name": "RHSA-2018:0481",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0481"
},
{
"name": "RHSA-2018:1525",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1525"
},
{
"name": "RHSA-2018:0480",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0480"
},
{
"name": "DSA-4114",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4114"
},
{
"name": "RHSA-2018:0478",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0478"
},
{
"name": "RHSA-2019:2858",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"name": "RHSA-2019:3149",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180423-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180423-0002/"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/1899",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/1899"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-5968",
"datePublished": "2018-01-22T04:00:00",
"dateReserved": "2018-01-21T00:00:00",
"dateUpdated": "2024-08-05T05:47:56.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-6306 (GCVE-0-2016-6306)
Vulnerability from cvelistv5
Published
2016-09-26 00:00
Modified
2024-08-06 01:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:29:18.287Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2016-20"
},
{
"name": "RHSA-2018:2185",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2185"
},
{
"name": "RHSA-2018:2186",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2186"
},
{
"name": "93153",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/93153"
},
{
"name": "RHSA-2016:1940",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-1940.html"
},
{
"name": "GLSA-201612-16",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201612-16"
},
{
"tags": [
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40312"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03856en_us"
},
{
"name": "1036885",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1036885"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2016-16"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2016-21"
},
{
"tags": [
"x_transferred"
],
"url": "https://bto.bluecoat.com/security-advisory/sa132"
},
{
"name": "FreeBSD-SA-16:26",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:26.openssl.asc"
},
{
"name": "SUSE-SU-2016:2470",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html"
},
{
"name": "RHSA-2018:2187",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2187"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05302448"
},
{
"tags": [
"x_transferred"
],
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"tags": [
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10215"
},
{
"name": "SUSE-SU-2017:2700",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00011.html"
},
{
"name": "USN-3087-1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-3087-1"
},
{
"name": "SUSE-SU-2016:2469",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00012.html"
},
{
"name": "openSUSE-SU-2016:2537",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00029.html"
},
{
"name": "USN-3087-2",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-3087-2"
},
{
"name": "SUSE-SU-2017:2699",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00010.html"
},
{
"name": "openSUSE-SU-2016:2407",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00031.html"
},
{
"name": "20170717 Orion Elite Hidden IP Browser Pro - All Versions - Multiple Known Vulnerabilities",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2017/Jul/31"
},
{
"name": "SUSE-SU-2016:2458",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00005.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en\u0026docId=emr_na-hpesbhf03856en_us"
},
{
"name": "DSA-3673",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3673"
},
{
"name": "openSUSE-SU-2016:2391",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00023.html"
},
{
"name": "openSUSE-SU-2018:0458",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-02/msg00032.html"
},
{
"name": "SUSE-SU-2016:2387",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c05302448"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K90492697"
},
{
"name": "SUSE-SU-2016:2468",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00011.html"
},
{
"name": "openSUSE-SU-2016:2496",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html"
},
{
"name": "SUSE-SU-2016:2394",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00024.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170322-01-openssl-en"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21995039"
},
{
"tags": [
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openssl.org/news/secadv/20160922.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=52e623c4cb06fffa9d5e75c60b34b4bc130b12e9"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/1749-security-advisory-24"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://www.tenable.com/security/tns-2016-20"
},
{
"name": "RHSA-2018:2185",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2185"
},
{
"name": "RHSA-2018:2186",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2186"
},
{
"name": "93153",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/93153"
},
{
"name": "RHSA-2016:1940",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-1940.html"
},
{
"name": "GLSA-201612-16",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/201612-16"
},
{
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40312"
},
{
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03856en_us"
},
{
"name": "1036885",
"tags": [
"vdb-entry"
],
"url": "http://www.securitytracker.com/id/1036885"
},
{
"url": "https://www.tenable.com/security/tns-2016-16"
},
{
"url": "https://www.tenable.com/security/tns-2016-21"
},
{
"url": "https://bto.bluecoat.com/security-advisory/sa132"
},
{
"name": "FreeBSD-SA-16:26",
"tags": [
"vendor-advisory"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:26.openssl.asc"
},
{
"name": "SUSE-SU-2016:2470",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html"
},
{
"name": "RHSA-2018:2187",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2187"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05302448"
},
{
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10215"
},
{
"name": "SUSE-SU-2017:2700",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00011.html"
},
{
"name": "USN-3087-1",
"tags": [
"vendor-advisory"
],
"url": "http://www.ubuntu.com/usn/USN-3087-1"
},
{
"name": "SUSE-SU-2016:2469",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00012.html"
},
{
"name": "openSUSE-SU-2016:2537",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00029.html"
},
{
"name": "USN-3087-2",
"tags": [
"vendor-advisory"
],
"url": "http://www.ubuntu.com/usn/USN-3087-2"
},
{
"name": "SUSE-SU-2017:2699",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00010.html"
},
{
"name": "openSUSE-SU-2016:2407",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00031.html"
},
{
"name": "20170717 Orion Elite Hidden IP Browser Pro - All Versions - Multiple Known Vulnerabilities",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2017/Jul/31"
},
{
"name": "SUSE-SU-2016:2458",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00005.html"
},
{
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en\u0026docId=emr_na-hpesbhf03856en_us"
},
{
"name": "DSA-3673",
"tags": [
"vendor-advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3673"
},
{
"name": "openSUSE-SU-2016:2391",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00023.html"
},
{
"name": "openSUSE-SU-2018:0458",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-02/msg00032.html"
},
{
"name": "SUSE-SU-2016:2387",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00022.html"
},
{
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c05302448"
},
{
"url": "https://support.f5.com/csp/article/K90492697"
},
{
"name": "SUSE-SU-2016:2468",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00011.html"
},
{
"name": "openSUSE-SU-2016:2496",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html"
},
{
"name": "SUSE-SU-2016:2394",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00024.html"
},
{
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170322-01-openssl-en"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html"
},
{
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21995039"
},
{
"url": "https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html"
},
{
"url": "https://www.openssl.org/news/secadv/20160922.txt"
},
{
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=52e623c4cb06fffa9d5e75c60b34b4bc130b12e9"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/1749-security-advisory-24"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-6306",
"datePublished": "2016-09-26T00:00:00",
"dateReserved": "2016-07-26T00:00:00",
"dateUpdated": "2024-08-06T01:29:18.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1259 (GCVE-0-2022-1259)
Vulnerability from cvelistv5
Published
2022-08-31 00:00
Modified
2024-08-02 23:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - - Uncontrolled Resource Consumption.
Summary
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:55:24.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072339"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-1259"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undertow",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 2.3.0.Final, 2.2.17.SP1, 2.2.20.Final, 2.2.19.SP1."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 - Uncontrolled Resource Consumption.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072339"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2022-1259"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-1259",
"datePublished": "2022-08-31T00:00:00",
"dateReserved": "2022-04-06T00:00:00",
"dateUpdated": "2024-08-02T23:55:24.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0340 (GCVE-0-2013-0340)
Vulnerability from cvelistv5
Published
2014-01-21 18:00
Modified
2024-08-06 14:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:25:10.013Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20130221 CVEs for libxml2 and expat internal and external XML entity expansion",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2013/02/22/3"
},
{
"name": "[oss-security] 20130413 Re-evaluating expat/libxml2 CVE assignments",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/04/12/6"
},
{
"name": "90634",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/90634"
},
{
"name": "1028213",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1028213"
},
{
"name": "GLSA-201701-21",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201701-21"
},
{
"name": "58233",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/58233"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT212805"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT212804"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT212807"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT212819"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT212814"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT212815"
},
{
"name": "20210921 APPLE-SA-2021-09-20-1 iOS 15 and iPadOS 15",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/33"
},
{
"name": "20210921 APPLE-SA-2021-09-20-2 watchOS 8",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/34"
},
{
"name": "20210921 APPLE-SA-2021-09-20-8 Additional information for APPLE-SA-2021-09-13-4 Security Update 2021-005 Catalina",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/40"
},
{
"name": "20210921 APPLE-SA-2021-09-20-3 tvOS 15",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/35"
},
{
"name": "20210921 APPLE-SA-2021-09-20-6 Additional information for APPLE-SA-2021-09-13-1 iOS 14.8 and iPadOS 14.8",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/38"
},
{
"name": "20210921 APPLE-SA-2021-09-20-7 Additional information for APPLE-SA-2021-09-13-3 macOS Big Sur 11.6",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/39"
},
{
"name": "[announce] 20211007 CVE-2021-40439: Apache OpenOffice: Billion Laughs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r41eca5f4f09e74436cbb05dec450fc2bef37b5d3e966aa7cc5fada6d%40%3Cannounce.apache.org%3E"
},
{
"name": "[openoffice-users] 20211007 CVE-2021-40439: Apache OpenOffice: Billion Laughs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702%40%3Cusers.openoffice.apache.org%3E"
},
{
"name": "[oss-security] 20211007 CVE-2021-40439: Apache OpenOffice: Billion Laughs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/07/4"
},
{
"name": "20211027 APPLE-SA-2021-10-26-10 Additional information for APPLE-SA-2021-09-20-2 watchOS 8",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/62"
},
{
"name": "20211027 APPLE-SA-2021-10-26-11 Additional information for APPLE-SA-2021-09-20-3 tvOS 15",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/63"
},
{
"name": "20211027 APPLE-SA-2021-10-26-9 Additional information for APPLE-SA-2021-09-20-1 iOS 15 and iPadOS 15",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/61"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-27T18:07:35",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20130221 CVEs for libxml2 and expat internal and external XML entity expansion",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2013/02/22/3"
},
{
"name": "[oss-security] 20130413 Re-evaluating expat/libxml2 CVE assignments",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/04/12/6"
},
{
"name": "90634",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/90634"
},
{
"name": "1028213",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1028213"
},
{
"name": "GLSA-201701-21",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201701-21"
},
{
"name": "58233",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/58233"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/kb/HT212805"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/kb/HT212804"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/kb/HT212807"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/kb/HT212819"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/kb/HT212814"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/kb/HT212815"
},
{
"name": "20210921 APPLE-SA-2021-09-20-1 iOS 15 and iPadOS 15",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/33"
},
{
"name": "20210921 APPLE-SA-2021-09-20-2 watchOS 8",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/34"
},
{
"name": "20210921 APPLE-SA-2021-09-20-8 Additional information for APPLE-SA-2021-09-13-4 Security Update 2021-005 Catalina",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/40"
},
{
"name": "20210921 APPLE-SA-2021-09-20-3 tvOS 15",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/35"
},
{
"name": "20210921 APPLE-SA-2021-09-20-6 Additional information for APPLE-SA-2021-09-13-1 iOS 14.8 and iPadOS 14.8",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/38"
},
{
"name": "20210921 APPLE-SA-2021-09-20-7 Additional information for APPLE-SA-2021-09-13-3 macOS Big Sur 11.6",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/39"
},
{
"name": "[announce] 20211007 CVE-2021-40439: Apache OpenOffice: Billion Laughs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r41eca5f4f09e74436cbb05dec450fc2bef37b5d3e966aa7cc5fada6d%40%3Cannounce.apache.org%3E"
},
{
"name": "[openoffice-users] 20211007 CVE-2021-40439: Apache OpenOffice: Billion Laughs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702%40%3Cusers.openoffice.apache.org%3E"
},
{
"name": "[oss-security] 20211007 CVE-2021-40439: Apache OpenOffice: Billion Laughs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/07/4"
},
{
"name": "20211027 APPLE-SA-2021-10-26-10 Additional information for APPLE-SA-2021-09-20-2 watchOS 8",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/62"
},
{
"name": "20211027 APPLE-SA-2021-10-26-11 Additional information for APPLE-SA-2021-09-20-3 tvOS 15",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/63"
},
{
"name": "20211027 APPLE-SA-2021-10-26-9 Additional information for APPLE-SA-2021-09-20-1 iOS 15 and iPadOS 15",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Oct/61"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0340",
"datePublished": "2014-01-21T18:00:00",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:25:10.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21409 (GCVE-0-2021-21409)
Vulnerability from cvelistv5
Published
2021-03-30 15:05
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Summary
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:16.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210604-0003/"
},
{
"name": "[zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.61.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:24:02",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210604-0003/"
},
{
"name": "[zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"source": {
"advisory": "GHSA-f256-j965-7f32",
"discovery": "UNKNOWN"
},
"title": "Possible request smuggling in HTTP/2 due missing validation of content-length",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21409",
"STATE": "PUBLIC",
"TITLE": "Possible request smuggling in HTTP/2 due missing validation of content-length"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "netty",
"version": {
"version_data": [
{
"version_value": "\u003c 4.1.61.Final"
}
]
}
}
]
},
"vendor_name": "netty"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32",
"refsource": "CONFIRM",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
},
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj",
"refsource": "MISC",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
},
{
"name": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295",
"refsource": "MISC",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295"
},
{
"name": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432",
"refsource": "MISC",
"url": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432"
},
{
"name": "DSA-4885",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E"
},
{
"name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210604-0003/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210604-0003/"
},
{
"name": "[zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
},
"source": {
"advisory": "GHSA-f256-j965-7f32",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21409",
"datePublished": "2021-03-30T15:05:17",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:16.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-7489 (GCVE-0-2018-7489)
Vulnerability from cvelistv5
Published
2018-02-26 15:00
Modified
2024-08-05 06:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:31:03.738Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103203",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103203"
},
{
"name": "RHSA-2018:1448",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1448"
},
{
"name": "RHSA-2018:1449",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1449"
},
{
"name": "RHSA-2018:2938",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2938"
},
{
"name": "RHSA-2018:1450",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1450"
},
{
"name": "RHSA-2018:2090",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2090"
},
{
"name": "RHSA-2018:2939",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2939"
},
{
"name": "1041890",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1041890"
},
{
"name": "1040693",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040693"
},
{
"name": "RHSA-2018:1786",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1786"
},
{
"name": "RHSA-2018:1451",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1451"
},
{
"name": "DSA-4190",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4190"
},
{
"name": "RHSA-2018:1447",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1447"
},
{
"name": "RHSA-2018:2088",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2088"
},
{
"name": "RHSA-2018:2089",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2089"
},
{
"name": "RHSA-2019:2858",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"name": "RHSA-2019:3149",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180328-0001/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/1931"
},
{
"name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-02-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-25T00:06:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "103203",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103203"
},
{
"name": "RHSA-2018:1448",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1448"
},
{
"name": "RHSA-2018:1449",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1449"
},
{
"name": "RHSA-2018:2938",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2938"
},
{
"name": "RHSA-2018:1450",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1450"
},
{
"name": "RHSA-2018:2090",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2090"
},
{
"name": "RHSA-2018:2939",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2939"
},
{
"name": "1041890",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1041890"
},
{
"name": "1040693",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040693"
},
{
"name": "RHSA-2018:1786",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1786"
},
{
"name": "RHSA-2018:1451",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1451"
},
{
"name": "DSA-4190",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4190"
},
{
"name": "RHSA-2018:1447",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1447"
},
{
"name": "RHSA-2018:2088",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2088"
},
{
"name": "RHSA-2018:2089",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2089"
},
{
"name": "RHSA-2019:2858",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"name": "RHSA-2019:3149",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180328-0001/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/1931"
},
{
"name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-7489",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103203",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103203"
},
{
"name": "RHSA-2018:1448",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1448"
},
{
"name": "RHSA-2018:1449",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1449"
},
{
"name": "RHSA-2018:2938",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2938"
},
{
"name": "RHSA-2018:1450",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1450"
},
{
"name": "RHSA-2018:2090",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2090"
},
{
"name": "RHSA-2018:2939",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2939"
},
{
"name": "1041890",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1041890"
},
{
"name": "1040693",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040693"
},
{
"name": "RHSA-2018:1786",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1786"
},
{
"name": "RHSA-2018:1451",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1451"
},
{
"name": "DSA-4190",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4190"
},
{
"name": "RHSA-2018:1447",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1447"
},
{
"name": "RHSA-2018:2088",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2088"
},
{
"name": "RHSA-2018:2089",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2089"
},
{
"name": "RHSA-2019:2858",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"name": "RHSA-2019:3149",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"refsource": "CONFIRM",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180328-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180328-0001/"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/1931",
"refsource": "CONFIRM",
"url": "https://github.com/FasterXML/jackson-databind/issues/1931"
},
{
"name": "[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-7489",
"datePublished": "2018-02-26T15:00:00",
"dateReserved": "2018-02-26T00:00:00",
"dateUpdated": "2024-08-05T06:31:03.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3629 (GCVE-0-2021-3629)
Vulnerability from cvelistv5
Published
2022-05-24 18:19
Modified
2024-08-03 17:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:07.495Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1977362"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220729-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undertow",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "undertow 2.0.40.Final, undertow 2.2.11.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-29T19:06:16",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1977362"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220729-0008/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2021-3629",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "undertow",
"version": {
"version_data": [
{
"version_value": "undertow 2.0.40.Final, undertow 2.2.11.Final"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1977362",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1977362"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220729-0008/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220729-0008/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-3629",
"datePublished": "2022-05-24T18:19:00",
"dateReserved": "2021-06-29T00:00:00",
"dateUpdated": "2024-08-03T17:01:07.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41881 (GCVE-0-2022-41881)
Vulnerability from cvelistv5
Published
2022-12-12 00:00
Modified
2025-04-22 15:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-674 - Uncontrolled Recursion
Summary
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v"
},
{
"name": "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"
},
{
"name": "DSA-5316",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5316"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230113-0004/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41881",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:39:04.984423Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T15:57:46.309Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.86.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674: Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-13T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v"
},
{
"name": "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"
},
{
"name": "DSA-5316",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5316"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230113-0004/"
}
],
"source": {
"advisory": "GHSA-fx2c-96vj-985v",
"discovery": "UNKNOWN"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41881",
"datePublished": "2022-12-12T00:00:00.000Z",
"dateReserved": "2022-09-30T00:00:00.000Z",
"dateUpdated": "2025-04-22T15:57:46.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-0705 (GCVE-0-2016-0705)
Vulnerability from cvelistv5
Published
2016-03-03 00:00
Modified
2024-08-05 22:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:30:04.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2016-2802690366",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178358.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05131085"
},
{
"tags": [
"x_transferred"
],
"url": "http://source.android.com/security/bulletin/2016-05-01.html"
},
{
"name": "RHSA-2018:2713",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2713"
},
{
"name": "FEDORA-2016-e6807b3394",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178817.html"
},
{
"name": "HPSBMU03575",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=146108058503441\u0026w=2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05301946"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=6c88c71b4e4825c7bc0489306d062d017634eb88"
},
{
"name": "openSUSE-SU-2016:1332",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00053.html"
},
{
"name": "openSUSE-SU-2016:0638",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"
},
{
"name": "FreeBSD-SA-16:12",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"
},
{
"name": "SUSE-SU-2016:0621",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05135617"
},
{
"name": "HPSBGN03563",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=145889460330120\u0026w=2"
},
{
"name": "HPSBGN03569",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=145983526810210\u0026w=2"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380"
},
{
"name": "RHSA-2018:2575",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2575"
},
{
"name": "USN-2914-1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2914-1"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150736"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "SUSE-SU-2016:1057",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html"
},
{
"name": "openSUSE-SU-2016:1566",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05126404"
},
{
"tags": [
"x_transferred"
],
"url": "http://openssl.org/news/secadv/20160301.txt"
},
{
"name": "20160302 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05086877"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"
},
{
"name": "RHSA-2018:2568",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2568"
},
{
"name": "SUSE-SU-2016:0624",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05176716"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05141441"
},
{
"name": "DSA-3500",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3500"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03741en_us"
},
{
"name": "SUSE-SU-2016:0631",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openssl.org/news/secadv/20160301.txt"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "91787",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91787"
},
{
"name": "SUSE-SU-2016:0617",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html"
},
{
"name": "RHSA-2016:2957",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"
},
{
"name": "GLSA-201603-15",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201603-15"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05068681"
},
{
"name": "openSUSE-SU-2016:0628",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html"
},
{
"name": "1035133",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1035133"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150800"
},
{
"name": "SUSE-SU-2016:0620",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html"
},
{
"name": "openSUSE-SU-2016:0637",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html"
},
{
"name": "openSUSE-SU-2016:0627",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00005.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05052990"
},
{
"name": "83754",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/83754"
},
{
"tags": [
"x_transferred"
],
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "FEDORA-2016-2802690366",
"tags": [
"vendor-advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178358.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05131085"
},
{
"url": "http://source.android.com/security/bulletin/2016-05-01.html"
},
{
"name": "RHSA-2018:2713",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2713"
},
{
"name": "FEDORA-2016-e6807b3394",
"tags": [
"vendor-advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178817.html"
},
{
"name": "HPSBMU03575",
"tags": [
"vendor-advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=146108058503441\u0026w=2"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05301946"
},
{
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=6c88c71b4e4825c7bc0489306d062d017634eb88"
},
{
"name": "openSUSE-SU-2016:1332",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00053.html"
},
{
"name": "openSUSE-SU-2016:0638",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"
},
{
"name": "FreeBSD-SA-16:12",
"tags": [
"vendor-advisory"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"
},
{
"name": "SUSE-SU-2016:0621",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05135617"
},
{
"name": "HPSBGN03563",
"tags": [
"vendor-advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=145889460330120\u0026w=2"
},
{
"name": "HPSBGN03569",
"tags": [
"vendor-advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=145983526810210\u0026w=2"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380"
},
{
"name": "RHSA-2018:2575",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2575"
},
{
"name": "USN-2914-1",
"tags": [
"vendor-advisory"
],
"url": "http://www.ubuntu.com/usn/USN-2914-1"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150736"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "SUSE-SU-2016:1057",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html"
},
{
"name": "openSUSE-SU-2016:1566",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.html"
},
{
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05126404"
},
{
"url": "http://openssl.org/news/secadv/20160301.txt"
},
{
"name": "20160302 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016",
"tags": [
"vendor-advisory"
],
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05086877"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"
},
{
"name": "RHSA-2018:2568",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2568"
},
{
"name": "SUSE-SU-2016:0624",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05176716"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05141441"
},
{
"name": "DSA-3500",
"tags": [
"vendor-advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3500"
},
{
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03741en_us"
},
{
"name": "SUSE-SU-2016:0631",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html"
},
{
"url": "https://www.openssl.org/news/secadv/20160301.txt"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "91787",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/91787"
},
{
"name": "SUSE-SU-2016:0617",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html"
},
{
"name": "RHSA-2016:2957",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"
},
{
"name": "GLSA-201603-15",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/201603-15"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05068681"
},
{
"name": "openSUSE-SU-2016:0628",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html"
},
{
"name": "1035133",
"tags": [
"vdb-entry"
],
"url": "http://www.securitytracker.com/id/1035133"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150800"
},
{
"name": "SUSE-SU-2016:0620",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html"
},
{
"name": "openSUSE-SU-2016:0637",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html"
},
{
"name": "openSUSE-SU-2016:0627",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00005.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05052990"
},
{
"name": "83754",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/83754"
},
{
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-0705",
"datePublished": "2016-03-03T00:00:00",
"dateReserved": "2015-12-16T00:00:00",
"dateUpdated": "2024-08-05T22:30:04.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46363 (GCVE-0-2022-46363)
Vulnerability from cvelistv5
Published
2022-12-13 14:46
Modified
2025-04-22 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CXF |
Version: 3.5 Version: 3.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:31:45.874Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-46363",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T02:50:18.035706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T02:50:45.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CXF",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.5.5",
"status": "affected",
"version": "3.5",
"versionType": "maven"
},
{
"lessThan": "3.4.10",
"status": "affected",
"version": "3.4",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "thanat0s from Beijin Qihoo 360 adlab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the\u0026nbsp;CXFServlet is configured with both the\u0026nbsp;static-resources-list and\u0026nbsp;redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the\u00a0CXFServlet is configured with both the\u00a0static-resources-list and\u00a0redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T14:48:16.676Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache CXF directory listing / code exfiltration",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-46363",
"datePublished": "2022-12-13T14:46:55.619Z",
"dateReserved": "2022-12-02T08:07:29.876Z",
"dateUpdated": "2025-04-22T02:50:45.431Z",
"requesterUserId": "cf81350d-439c-4450-9d42-0a054bb6b6c9",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1459 (GCVE-0-2024-1459)
Vulnerability from cvelistv5
Published
2024-02-12 20:30
Modified
2025-08-14 16:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-24 - Path Traversal: '../filedir'
Summary
A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► |
Version: 0 < 2.3.12 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-13T15:51:43.437025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:26.959Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-22T12:04:46.762Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2024:1677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:1677"
},
{
"name": "RHSA-2024:2763",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2763"
},
{
"name": "RHSA-2024:2764",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2764"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-1459"
},
{
"name": "RHBZ#2259475",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259475"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241122-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/undertow-io/undertow",
"defaultStatus": "unaffected",
"packageName": "undertow",
"versions": [
{
"lessThan": "2.3.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
],
"defaultStatus": "unaffected",
"product": "Red Hat JBoss Enterprise Application Platform 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-activemq-artemis",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.16.0-18.redhat_00052.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-apache-cxf",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.4.10-2.redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-eclipse-jgit",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.13.3.202401111512-1.r_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-elytron-web",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.9.4-1.Final_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-hal-console",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.3.21-1.Final_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-hibernate",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.3.36-1.Final_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-infinispan",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:11.0.18-2.Final_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-insights-java-client",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.1.2-1.redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-jberet",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.3.9-3.SP3_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-annotations-api_1.3_spec",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.0.1-3.Final_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-cert-helper",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.1.2-1.redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-remoting",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.0.27-4.SP2_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-server-migration",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.10.0-35.Final_redhat_00034.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-xnio-base",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.8.12-1.SP2_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-jgroups-kubernetes",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.0.17-1.Final_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-lucene-solr",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.5.5-6.redhat_2.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.2.30-1.SP1_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-wildfly",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:7.4.16-4.GA_redhat_00002.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-wildfly-elytron",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.15.22-1.Final_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-activemq-artemis",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.16.0-18.redhat_00052.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-apache-cxf",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.4.10-2.redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-eclipse-jgit",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.13.3.202401111512-1.r_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-elytron-web",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.9.4-1.Final_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-hal-console",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.3.21-1.Final_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-hibernate",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.3.36-1.Final_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-infinispan",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:11.0.18-2.Final_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-insights-java-client",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.1.2-1.redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-jberet",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.3.9-3.SP3_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-annotations-api_1.3_spec",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.0.1-3.Final_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-cert-helper",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.1.2-1.redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-remoting",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.0.27-4.SP2_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-server-migration",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.10.0-35.Final_redhat_00034.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-xnio-base",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.8.12-1.SP2_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-jgroups-kubernetes",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.0.17-1.Final_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-lucene-solr",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.5.5-6.redhat_2.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.2.30-1.SP1_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-wildfly",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:7.4.16-4.GA_redhat_00002.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-wildfly-elytron",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.15.22-1.Final_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-activemq-artemis",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.16.0-18.redhat_00052.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-apache-cxf",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.4.10-2.redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-eclipse-jgit",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.13.3.202401111512-1.r_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-elytron-web",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.9.4-1.Final_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-hal-console",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.3.21-1.Final_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-hibernate",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.3.36-1.Final_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-infinispan",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:11.0.18-2.Final_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-insights-java-client",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.1.2-1.redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-jberet",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.3.9-3.SP3_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-annotations-api_1.3_spec",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.0.1-3.Final_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-cert-helper",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.1.2-1.redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-remoting",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.0.27-4.SP2_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-server-migration",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.10.0-35.Final_redhat_00034.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-jboss-xnio-base",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.8.12-1.SP2_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-jgroups-kubernetes",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.0.17-1.Final_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-lucene-solr",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.5.5-6.redhat_2.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.2.30-1.SP1_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-wildfly",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:7.4.16-4.GA_redhat_00002.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-wildfly-elytron",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.15.22-1.Final_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8.0"
],
"defaultStatus": "unaffected",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
"cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
],
"defaultStatus": "affected",
"packageName": "eap8-undertow",
"product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.3.11-1.SP1_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
"cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
],
"defaultStatus": "affected",
"packageName": "eap8-undertow",
"product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.3.11-1.SP1_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:quarkus:2"
],
"defaultStatus": "unaffected",
"packageName": "io.quarkus/quarkus-undertow",
"product": "Red Hat build of Quarkus",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
],
"defaultStatus": "affected",
"packageName": "undertow",
"product": "Red Hat Data Grid 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_brms_platform:7"
],
"defaultStatus": "unknown",
"packageName": "undertow",
"product": "Red Hat Decision Manager 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
],
"defaultStatus": "unknown",
"packageName": "undertow",
"product": "Red Hat Fuse 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:7"
],
"defaultStatus": "unknown",
"packageName": "undertow",
"product": "Red Hat JBoss Data Grid 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_fuse:6"
],
"defaultStatus": "unknown",
"packageName": "undertow",
"product": "Red Hat JBoss Fuse 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
],
"defaultStatus": "unknown",
"packageName": "undertow",
"product": "Red Hat Process Automation 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7"
],
"defaultStatus": "unknown",
"packageName": "undertow",
"product": "Red Hat Single Sign-On 7",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank AAIB IT Unix Team for reporting this issue."
}
],
"datePublic": "2024-01-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-24",
"description": "Path Traversal: \u0027../filedir\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T16:19:16.487Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2024:1674",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:1674"
},
{
"name": "RHSA-2024:1675",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:1675"
},
{
"name": "RHSA-2024:1676",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:1676"
},
{
"name": "RHSA-2024:1677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:1677"
},
{
"name": "RHSA-2024:2763",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2763"
},
{
"name": "RHSA-2024:2764",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2764"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-1459"
},
{
"name": "RHBZ#2259475",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259475"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-18T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-01-18T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Undertow: directory traversal vulnerability",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_redhatCweChain": "CWE-24: Path Traversal: \u0027../filedir\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-1459",
"datePublished": "2024-02-12T20:30:03.768Z",
"dateReserved": "2024-02-12T20:12:13.991Z",
"dateUpdated": "2025-08-14T16:19:16.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3577 (GCVE-0-2014-3577)
Vulnerability from cvelistv5
Published
2014-08-21 00:00
Modified
2024-08-06 10:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:50:17.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2014:1891",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1891.html"
},
{
"name": "RHSA-2015:0765",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/solutions/1165533"
},
{
"name": "110143",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.osvdb.org/110143"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"name": "RHSA-2015:0675",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"
},
{
"name": "60713",
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "http://secunia.com/advisories/60713"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html"
},
{
"name": "RHSA-2015:0720",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"
},
{
"name": "RHSA-2014:1166",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1166.html"
},
{
"name": "RHSA-2015:1888",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html"
},
{
"name": "RHSA-2014:1833",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1833.html"
},
{
"name": "RHSA-2015:0850",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"
},
{
"name": "RHSA-2015:0158",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0158.html"
},
{
"name": "RHSA-2014:1834",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1834.html"
},
{
"name": "60466",
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "http://secunia.com/advisories/60466"
},
{
"name": "RHSA-2015:0125",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html"
},
{
"name": "RHSA-2015:1176",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1176.html"
},
{
"name": "RHSA-2016:1931",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-1931.html"
},
{
"name": "RHSA-2014:1146",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1146.html"
},
{
"name": "RHSA-2015:1177",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1177.html"
},
{
"name": "69258",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/69258"
},
{
"name": "RHSA-2014:1892",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1892.html"
},
{
"name": "RHSA-2015:0851",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564"
},
{
"name": "RHSA-2014:1835",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1835.html"
},
{
"name": "1030812",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1030812"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05363782"
},
{
"name": "USN-2769-1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2769-1"
},
{
"name": "60589",
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "http://secunia.com/advisories/60589"
},
{
"name": "RHSA-2014:1836",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1836.html"
},
{
"name": "apache-cve20143577-spoofing(95327)",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95327"
},
{
"name": "20140818 CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Aug/48"
},
{
"name": "RHSA-2016:1773",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E"
},
{
"name": "[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E"
},
{
"name": "[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E"
},
{
"name": "openSUSE-SU-2020:1873",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html"
},
{
"name": "openSUSE-SU-2020:1875",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html"
},
{
"name": "[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E"
},
{
"name": "[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E"
},
{
"name": "[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E"
},
{
"name": "[oss-security] 20211006 Multiple vulnerabilities in Jenkins and Jenkins plugins",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/06/1"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231027-0003/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a \"CN=\" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the \"foo,CN=www.apache.org\" string in the O field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-27T14:07:16.016530",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2014:1891",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1891.html"
},
{
"name": "RHSA-2015:0765",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"
},
{
"url": "https://access.redhat.com/solutions/1165533"
},
{
"name": "110143",
"tags": [
"vdb-entry"
],
"url": "http://www.osvdb.org/110143"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"name": "RHSA-2015:0675",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"
},
{
"name": "60713",
"tags": [
"third-party-advisory"
],
"url": "http://secunia.com/advisories/60713"
},
{
"url": "http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html"
},
{
"name": "RHSA-2015:0720",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"
},
{
"name": "RHSA-2014:1166",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1166.html"
},
{
"name": "RHSA-2015:1888",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html"
},
{
"name": "RHSA-2014:1833",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1833.html"
},
{
"name": "RHSA-2015:0850",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"
},
{
"name": "RHSA-2015:0158",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0158.html"
},
{
"name": "RHSA-2014:1834",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1834.html"
},
{
"name": "60466",
"tags": [
"third-party-advisory"
],
"url": "http://secunia.com/advisories/60466"
},
{
"name": "RHSA-2015:0125",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html"
},
{
"name": "RHSA-2015:1176",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1176.html"
},
{
"name": "RHSA-2016:1931",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-1931.html"
},
{
"name": "RHSA-2014:1146",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1146.html"
},
{
"name": "RHSA-2015:1177",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-1177.html"
},
{
"name": "69258",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/69258"
},
{
"name": "RHSA-2014:1892",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1892.html"
},
{
"name": "RHSA-2015:0851",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564"
},
{
"name": "RHSA-2014:1835",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1835.html"
},
{
"name": "1030812",
"tags": [
"vdb-entry"
],
"url": "http://www.securitytracker.com/id/1030812"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05363782"
},
{
"name": "USN-2769-1",
"tags": [
"vendor-advisory"
],
"url": "http://www.ubuntu.com/usn/USN-2769-1"
},
{
"name": "60589",
"tags": [
"third-party-advisory"
],
"url": "http://secunia.com/advisories/60589"
},
{
"name": "RHSA-2014:1836",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1836.html"
},
{
"name": "apache-cve20143577-spoofing(95327)",
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95327"
},
{
"name": "20140818 CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2014/Aug/48"
},
{
"name": "RHSA-2016:1773",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E"
},
{
"name": "[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E"
},
{
"name": "[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E"
},
{
"name": "openSUSE-SU-2020:1873",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html"
},
{
"name": "openSUSE-SU-2020:1875",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html"
},
{
"name": "[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E"
},
{
"name": "[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E"
},
{
"name": "[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E"
},
{
"name": "[oss-security] 20211006 Multiple vulnerabilities in Jenkins and Jenkins plugins",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/06/1"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231027-0003/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-3577",
"datePublished": "2014-08-21T00:00:00",
"dateReserved": "2014-05-14T00:00:00",
"dateUpdated": "2024-08-06T10:50:17.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-0798 (GCVE-0-2016-0798)
Vulnerability from cvelistv5
Published
2016-03-03 00:00
Modified
2024-08-05 22:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:30:05.078Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=259b664f950c2ba66fbf4b0fe5281327904ead21"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"name": "openSUSE-SU-2016:0638",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html"
},
{
"name": "FreeBSD-SA-16:12",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc"
},
{
"name": "SUSE-SU-2016:0621",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html"
},
{
"name": "USN-2914-1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2914-1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168"
},
{
"tags": [
"x_transferred"
],
"url": "http://openssl.org/news/secadv/20160301.txt"
},
{
"name": "20160302 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl"
},
{
"name": "83705",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/83705"
},
{
"name": "DSA-3500",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3500"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03741en_us"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openssl.org/news/secadv/20160301.txt"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "91787",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91787"
},
{
"name": "SUSE-SU-2016:0617",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html"
},
{
"name": "GLSA-201603-15",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201603-15"
},
{
"name": "openSUSE-SU-2016:0628",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html"
},
{
"name": "1035133",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1035133"
},
{
"name": "SUSE-SU-2016:0620",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html"
},
{
"name": "openSUSE-SU-2016:0637",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html"
},
{
"name": "openSUSE-SU-2016:0627",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00005.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=259b664f950c2ba66fbf4b0fe5281327904ead21"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"name": "openSUSE-SU-2016:0638",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html"
},
{
"name": "FreeBSD-SA-16:12",
"tags": [
"vendor-advisory"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc"
},
{
"name": "SUSE-SU-2016:0621",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html"
},
{
"name": "USN-2914-1",
"tags": [
"vendor-advisory"
],
"url": "http://www.ubuntu.com/usn/USN-2914-1"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168"
},
{
"url": "http://openssl.org/news/secadv/20160301.txt"
},
{
"name": "20160302 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016",
"tags": [
"vendor-advisory"
],
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl"
},
{
"name": "83705",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/83705"
},
{
"name": "DSA-3500",
"tags": [
"vendor-advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3500"
},
{
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03741en_us"
},
{
"url": "https://www.openssl.org/news/secadv/20160301.txt"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "91787",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/91787"
},
{
"name": "SUSE-SU-2016:0617",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html"
},
{
"name": "GLSA-201603-15",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/201603-15"
},
{
"name": "openSUSE-SU-2016:0628",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html"
},
{
"name": "1035133",
"tags": [
"vdb-entry"
],
"url": "http://www.securitytracker.com/id/1035133"
},
{
"name": "SUSE-SU-2016:0620",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html"
},
{
"name": "openSUSE-SU-2016:0637",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html"
},
{
"name": "openSUSE-SU-2016:0627",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00005.html"
},
{
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-0798",
"datePublished": "2016-03-03T00:00:00",
"dateReserved": "2015-12-16T00:00:00",
"dateUpdated": "2024-08-05T22:30:05.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11612 (GCVE-0-2020-11612)
Vulnerability from cvelistv5
Published
2020-04-07 18:00
Modified
2024-08-04 11:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:35:13.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[druid-commits] 20200408 [GitHub] [druid] ccaominh opened a new pull request #9651: Upgrade netty 4 to fix CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2958e4d49ee046e1e561e44fdc114a0d2285927501880f15852a9b53%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [GitHub] [druid] jon-wei merged pull request #9651: Upgrade netty 4 to fix CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3195127e46c87a680b5d1d3733470f83b886bfd3b890c50df718bed1%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [GitHub] [druid] ccaominh opened a new pull request #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r14446ed58208cb6d97b6faa6ebf145f1cf2c70c0886c0c133f4d3b6f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [GitHub] [druid] ccaominh commented on issue #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra98e3a8541a09271f96478d5e22c7e3bd1afdf48641c8be25d62d9f9%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [GitHub] [druid] jon-wei merged pull request #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8a654f11e1172b0effbfd6f8d5b6ca651ae4ac724a976923c268a42f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [druid] branch 0.18.0 updated: Upgrade netty 4 to fix CVE-2020-11612 (#9651) (#9654)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7836bbdbe95c99d4d725199f0c169927d4e87ba57e4beeeb699c097a%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200413 [jira] [Updated] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5b1ad61552591b747cd31b3a908d5ff2e8f2a8a6847583dd6b7b1ee7%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200413 [jira] [Created] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r88e2b91560c065ed67e62adf8f401c417e4d70256d11ea447215a70c%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200413 [jira] [Created] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfd173eac20d5e5f581c8984b685c836dafea8eb2f7ff85f617704cf1%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200413 [GitHub] [zookeeper] phunt opened a new pull request #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ref2c8a0cbb3b8271e5b9a06457ba78ad2028128627186531730f50ef%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200413 [jira] [Assigned] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r255ed239e65d0596812362adc474bee96caf7ba042c7ad2f3c62cec7%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200414 [GitHub] [zookeeper] eolivelli commented on issue #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf803b65b4a57589d79cf2e83d8ece0539018d32864f932f63c972844%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200414 [GitHub] [zookeeper] phunt commented on issue #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd302ddb501fa02c5119120e5fc21df9a1c00e221c490edbe2d7ad365%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200415 [jira] [Resolved] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re1ea144e91f03175d661b2d3e97c7d74b912e019613fa90419cf63f4%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200415 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r866288c2ada00ce148b7307cdf869f15f24302b3eb2128af33830997%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200415 [zookeeper] branch release-3.6.1 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rff8859c0d06b1688344b39097f9685c43b461cf2bc41f60f001704e9%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200415 [GitHub] [zookeeper] eolivelli closed pull request #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a7e4e23bd84ac24abf30ab5d5edf989c02b555e1eca6a2f28636692%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200415 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9c30b7fca4baedebcb46d6e0f90071b30cc4a0e074164d50122ec5ec%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200415 [zookeeper] branch master updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r281882fdf9ea89aac02fd2f92786693a956aac2ce9840cce87c7df6b%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200415 Build failed in Jenkins: zookeeper-master-maven-jdk12 #465",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5030cd8ea5df1e64cf6a7b633eff145992fbca03e8bfc687cd2427ab%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200415 Build failed in Jenkins: zookeeper-branch36-java8 #137",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3ea4918d20d0c1fa26cac74cc7cda001d8990bc43473d062867ef70d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200416 [GitHub] [pulsar] massakam opened a new pull request #6746: [build] Bump netty version to 4.1.48.Final",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ref3943adbc3a8813aee0e3a9dd919bacbb27f626be030a3c6d6c7f83%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200504 [zookeeper] branch master updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9addb580456807cd11d6f0c6b6373b7d7161d06d2278866c30c7febb%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven #784",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4f4a14d6a608db447b725ec2e96c26ac9664d83cd879aa21e2cfeb24%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven-owasp #489",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200504 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf9f8bcc4ca8d2788f77455ff594468404732a4497baebe319043f4d5%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven-jdk12 #490",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5a0b1f0b1c3bcd66f5177fbd6f6de2d0f8cae24a13ab2669f274251a%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200504 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r69b23a94d4ae45394cabae012dd1f4a963996869c44c478eb1c61082%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E"
},
{
"name": "FEDORA-2020-66b5f85ccc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/issues/6168"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/pull/9924"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20bb1b9deede38557f71%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20201223-0001/"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:21:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[druid-commits] 20200408 [GitHub] [druid] ccaominh opened a new pull request #9651: Upgrade netty 4 to fix CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2958e4d49ee046e1e561e44fdc114a0d2285927501880f15852a9b53%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [GitHub] [druid] jon-wei merged pull request #9651: Upgrade netty 4 to fix CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3195127e46c87a680b5d1d3733470f83b886bfd3b890c50df718bed1%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [GitHub] [druid] ccaominh opened a new pull request #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r14446ed58208cb6d97b6faa6ebf145f1cf2c70c0886c0c133f4d3b6f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [GitHub] [druid] ccaominh commented on issue #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra98e3a8541a09271f96478d5e22c7e3bd1afdf48641c8be25d62d9f9%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [GitHub] [druid] jon-wei merged pull request #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8a654f11e1172b0effbfd6f8d5b6ca651ae4ac724a976923c268a42f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [druid] branch 0.18.0 updated: Upgrade netty 4 to fix CVE-2020-11612 (#9651) (#9654)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7836bbdbe95c99d4d725199f0c169927d4e87ba57e4beeeb699c097a%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200413 [jira] [Updated] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5b1ad61552591b747cd31b3a908d5ff2e8f2a8a6847583dd6b7b1ee7%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200413 [jira] [Created] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r88e2b91560c065ed67e62adf8f401c417e4d70256d11ea447215a70c%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200413 [jira] [Created] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfd173eac20d5e5f581c8984b685c836dafea8eb2f7ff85f617704cf1%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200413 [GitHub] [zookeeper] phunt opened a new pull request #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ref2c8a0cbb3b8271e5b9a06457ba78ad2028128627186531730f50ef%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200413 [jira] [Assigned] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r255ed239e65d0596812362adc474bee96caf7ba042c7ad2f3c62cec7%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200414 [GitHub] [zookeeper] eolivelli commented on issue #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf803b65b4a57589d79cf2e83d8ece0539018d32864f932f63c972844%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200414 [GitHub] [zookeeper] phunt commented on issue #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd302ddb501fa02c5119120e5fc21df9a1c00e221c490edbe2d7ad365%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200415 [jira] [Resolved] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re1ea144e91f03175d661b2d3e97c7d74b912e019613fa90419cf63f4%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200415 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r866288c2ada00ce148b7307cdf869f15f24302b3eb2128af33830997%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200415 [zookeeper] branch release-3.6.1 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rff8859c0d06b1688344b39097f9685c43b461cf2bc41f60f001704e9%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200415 [GitHub] [zookeeper] eolivelli closed pull request #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a7e4e23bd84ac24abf30ab5d5edf989c02b555e1eca6a2f28636692%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200415 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9c30b7fca4baedebcb46d6e0f90071b30cc4a0e074164d50122ec5ec%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200415 [zookeeper] branch master updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r281882fdf9ea89aac02fd2f92786693a956aac2ce9840cce87c7df6b%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200415 Build failed in Jenkins: zookeeper-master-maven-jdk12 #465",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5030cd8ea5df1e64cf6a7b633eff145992fbca03e8bfc687cd2427ab%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200415 Build failed in Jenkins: zookeeper-branch36-java8 #137",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3ea4918d20d0c1fa26cac74cc7cda001d8990bc43473d062867ef70d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200416 [GitHub] [pulsar] massakam opened a new pull request #6746: [build] Bump netty version to 4.1.48.Final",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ref3943adbc3a8813aee0e3a9dd919bacbb27f626be030a3c6d6c7f83%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200504 [zookeeper] branch master updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9addb580456807cd11d6f0c6b6373b7d7161d06d2278866c30c7febb%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven #784",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4f4a14d6a608db447b725ec2e96c26ac9664d83cd879aa21e2cfeb24%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven-owasp #489",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200504 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf9f8bcc4ca8d2788f77455ff594468404732a4497baebe319043f4d5%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven-jdk12 #490",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5a0b1f0b1c3bcd66f5177fbd6f6de2d0f8cae24a13ab2669f274251a%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200504 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r69b23a94d4ae45394cabae012dd1f4a963996869c44c478eb1c61082%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E"
},
{
"name": "FEDORA-2020-66b5f85ccc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/issues/6168"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/pull/9924"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20bb1b9deede38557f71%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20201223-0001/"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-11612",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[druid-commits] 20200408 [GitHub] [druid] ccaominh opened a new pull request #9651: Upgrade netty 4 to fix CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2958e4d49ee046e1e561e44fdc114a0d2285927501880f15852a9b53@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [GitHub] [druid] jon-wei merged pull request #9651: Upgrade netty 4 to fix CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3195127e46c87a680b5d1d3733470f83b886bfd3b890c50df718bed1@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [GitHub] [druid] ccaominh opened a new pull request #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r14446ed58208cb6d97b6faa6ebf145f1cf2c70c0886c0c133f4d3b6f@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [GitHub] [druid] ccaominh commented on issue #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra98e3a8541a09271f96478d5e22c7e3bd1afdf48641c8be25d62d9f9@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [GitHub] [druid] jon-wei merged pull request #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8a654f11e1172b0effbfd6f8d5b6ca651ae4ac724a976923c268a42f@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200409 [druid] branch 0.18.0 updated: Upgrade netty 4 to fix CVE-2020-11612 (#9651) (#9654)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7836bbdbe95c99d4d725199f0c169927d4e87ba57e4beeeb699c097a@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200413 [jira] [Updated] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5b1ad61552591b747cd31b3a908d5ff2e8f2a8a6847583dd6b7b1ee7@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200413 [jira] [Created] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r88e2b91560c065ed67e62adf8f401c417e4d70256d11ea447215a70c@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200413 [jira] [Created] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfd173eac20d5e5f581c8984b685c836dafea8eb2f7ff85f617704cf1@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200413 [GitHub] [zookeeper] phunt opened a new pull request #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ref2c8a0cbb3b8271e5b9a06457ba78ad2028128627186531730f50ef@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200413 [jira] [Assigned] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r255ed239e65d0596812362adc474bee96caf7ba042c7ad2f3c62cec7@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200414 [GitHub] [zookeeper] eolivelli commented on issue #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf803b65b4a57589d79cf2e83d8ece0539018d32864f932f63c972844@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200414 [GitHub] [zookeeper] phunt commented on issue #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd302ddb501fa02c5119120e5fc21df9a1c00e221c490edbe2d7ad365@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200415 [jira] [Resolved] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re1ea144e91f03175d661b2d3e97c7d74b912e019613fa90419cf63f4@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200415 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r866288c2ada00ce148b7307cdf869f15f24302b3eb2128af33830997@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200415 [zookeeper] branch release-3.6.1 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rff8859c0d06b1688344b39097f9685c43b461cf2bc41f60f001704e9@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200415 [GitHub] [zookeeper] eolivelli closed pull request #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a7e4e23bd84ac24abf30ab5d5edf989c02b555e1eca6a2f28636692@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200415 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9c30b7fca4baedebcb46d6e0f90071b30cc4a0e074164d50122ec5ec@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200415 [zookeeper] branch master updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r281882fdf9ea89aac02fd2f92786693a956aac2ce9840cce87c7df6b@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200415 Build failed in Jenkins: zookeeper-master-maven-jdk12 #465",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5030cd8ea5df1e64cf6a7b633eff145992fbca03e8bfc687cd2427ab@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200415 Build failed in Jenkins: zookeeper-branch36-java8 #137",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3ea4918d20d0c1fa26cac74cc7cda001d8990bc43473d062867ef70d@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200416 [GitHub] [pulsar] massakam opened a new pull request #6746: [build] Bump netty version to 4.1.48.Final",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ref3943adbc3a8813aee0e3a9dd919bacbb27f626be030a3c6d6c7f83@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200504 [zookeeper] branch master updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9addb580456807cd11d6f0c6b6373b7d7161d06d2278866c30c7febb@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven #784",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4f4a14d6a608db447b725ec2e96c26ac9664d83cd879aa21e2cfeb24@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven-owasp #489",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200504 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf9f8bcc4ca8d2788f77455ff594468404732a4497baebe319043f4d5@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven-jdk12 #490",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5a0b1f0b1c3bcd66f5177fbd6f6de2d0f8cae24a13ab2669f274251a@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200504 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r69b23a94d4ae45394cabae012dd1f4a963996869c44c478eb1c61082@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E"
},
{
"name": "FEDORA-2020-66b5f85ccc",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "https://github.com/netty/netty/issues/6168",
"refsource": "MISC",
"url": "https://github.com/netty/netty/issues/6168"
},
{
"name": "https://github.com/netty/netty/pull/9924",
"refsource": "MISC",
"url": "https://github.com/netty/netty/pull/9924"
},
{
"name": "https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final",
"refsource": "MISC",
"url": "https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final"
},
{
"name": "https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20bb1b9deede38557f71@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20bb1b9deede38557f71@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "https://security.netapp.com/advisory/ntap-20201223-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20201223-0001/"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "DSA-4885",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-11612",
"datePublished": "2020-04-07T18:00:34",
"dateReserved": "2020-04-07T00:00:00",
"dateUpdated": "2024-08-04T11:35:13.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37137 (GCVE-0-2021-37137)
Vulnerability from cvelistv5
Published
2021-10-19 00:00
Modified
2024-08-04 01:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Netty project | Netty |
Version: unspecified < 4.1.68Final |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:16:02.953Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363"
},
{
"name": "[tinkerpop-dev] 20211025 [jira] [Created] (TINKERPOP-2632) Netty 4.1.61 flagged with two high severity security violations",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E"
},
{
"name": "[druid-commits] 20211025 [GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211025 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211025 [GitHub] [druid] a2l007 commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211026 [GitHub] [druid] clintropolis merged pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211026 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220210-0012/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"
},
{
"name": "DSA-5316",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5316"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Netty",
"vendor": "The Netty project",
"versions": [
{
"lessThan": "4.1.68Final",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Snappy frame decoder function doesn\u0027t restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-12T00:00:00",
"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"shortName": "JFROG"
},
"references": [
{
"url": "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363"
},
{
"name": "[tinkerpop-dev] 20211025 [jira] [Created] (TINKERPOP-2632) Netty 4.1.61 flagged with two high severity security violations",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E"
},
{
"name": "[druid-commits] 20211025 [GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211025 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211025 [GitHub] [druid] a2l007 commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211026 [GitHub] [druid] clintropolis merged pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211026 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220210-0012/"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"
},
{
"name": "DSA-5316",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5316"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"assignerShortName": "JFROG",
"cveId": "CVE-2021-37137",
"datePublished": "2021-10-19T00:00:00",
"dateReserved": "2021-07-20T00:00:00",
"dateUpdated": "2024-08-04T01:16:02.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3597 (GCVE-0-2021-3597)
Vulnerability from cvelistv5
Published
2022-05-24 18:19
Modified
2024-08-03 17:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:07.706Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220804-0003/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undertow",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "undertow 2.0.35.SP1, undertow 2.2.6.SP1, undertow 2.2.7.SP1, undertow 2.0.36.SP1, undertow 2.2.9.Final, undertow 2.0.39.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T17:06:48",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220804-0003/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2021-3597",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "undertow",
"version": {
"version_data": [
{
"version_value": "undertow 2.0.35.SP1, undertow 2.2.6.SP1, undertow 2.2.7.SP1, undertow 2.0.36.SP1, undertow 2.2.9.Final, undertow 2.0.39.Final"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-362"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220804-0003/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220804-0003/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-3597",
"datePublished": "2022-05-24T18:19:11",
"dateReserved": "2021-06-11T00:00:00",
"dateUpdated": "2024-08-03T17:01:07.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34462 (GCVE-0-2023-34462)
Vulnerability from cvelistv5
Published
2023-06-22 23:00
Modified
2025-02-13 16:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T18:36:13.070529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T18:36:18.892Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:10:07.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845"
},
{
"name": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230803-0001/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5558"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.94.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T19:08:21.092Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845"
},
{
"name": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230803-0001/"
},
{
"url": "https://www.debian.org/security/2023/dsa-5558"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
}
],
"source": {
"advisory": "GHSA-6mjq-h674-j845",
"discovery": "UNKNOWN"
},
"title": "netty-handler SniHandler 16MB allocation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34462",
"datePublished": "2023-06-22T23:00:12.104Z",
"dateReserved": "2023-06-06T16:16:53.560Z",
"dateUpdated": "2025-02-13T16:55:36.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-0797 (GCVE-0-2016-0797)
Vulnerability from cvelistv5
Published
2016-03-03 00:00
Modified
2024-08-05 22:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:30:05.030Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html"
},
{
"name": "83763",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/83763"
},
{
"tags": [
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10156"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"name": "openSUSE-SU-2016:0638",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"
},
{
"name": "FreeBSD-SA-16:12",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"
},
{
"name": "openSUSE-SU-2016:1239",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00015.html"
},
{
"name": "SUSE-SU-2016:0621",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html"
},
{
"name": "openSUSE-SU-2016:0640",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html"
},
{
"name": "HPSBGN03563",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=145889460330120\u0026w=2"
},
{
"name": "USN-2914-1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2914-1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "SUSE-SU-2016:1057",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html"
},
{
"name": "openSUSE-SU-2016:1566",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168"
},
{
"name": "openSUSE-SU-2016:1241",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=c175308407858afff3fc8c2e5e085d94d12edc7d"
},
{
"tags": [
"x_transferred"
],
"url": "http://openssl.org/news/secadv/20160301.txt"
},
{
"name": "20160302 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl"
},
{
"name": "openSUSE-SU-2016:0720",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"
},
{
"name": "SUSE-SU-2016:0624",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html"
},
{
"name": "DSA-3500",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3500"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03741en_us"
},
{
"name": "SUSE-SU-2016:0631",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openssl.org/news/secadv/20160301.txt"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "91787",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91787"
},
{
"name": "SUSE-SU-2016:0617",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html"
},
{
"name": "RHSA-2016:2957",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"
},
{
"name": "GLSA-201603-15",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201603-15"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html"
},
{
"name": "openSUSE-SU-2016:0628",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html"
},
{
"name": "1035133",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1035133"
},
{
"name": "SUSE-SU-2016:0678",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html"
},
{
"name": "SUSE-SU-2016:0620",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html"
},
{
"name": "openSUSE-SU-2016:0637",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html"
},
{
"name": "openSUSE-SU-2016:0627",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00005.html"
},
{
"name": "SUSE-SU-2016:0641",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05052990"
},
{
"tags": [
"x_transferred"
],
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html"
},
{
"name": "83763",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/83763"
},
{
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10156"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"name": "openSUSE-SU-2016:0638",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"
},
{
"name": "FreeBSD-SA-16:12",
"tags": [
"vendor-advisory"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"
},
{
"name": "openSUSE-SU-2016:1239",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00015.html"
},
{
"name": "SUSE-SU-2016:0621",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html"
},
{
"name": "openSUSE-SU-2016:0640",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html"
},
{
"name": "HPSBGN03563",
"tags": [
"vendor-advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=145889460330120\u0026w=2"
},
{
"name": "USN-2914-1",
"tags": [
"vendor-advisory"
],
"url": "http://www.ubuntu.com/usn/USN-2914-1"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "SUSE-SU-2016:1057",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html"
},
{
"name": "openSUSE-SU-2016:1566",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.html"
},
{
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168"
},
{
"name": "openSUSE-SU-2016:1241",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00017.html"
},
{
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=c175308407858afff3fc8c2e5e085d94d12edc7d"
},
{
"url": "http://openssl.org/news/secadv/20160301.txt"
},
{
"name": "20160302 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016",
"tags": [
"vendor-advisory"
],
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl"
},
{
"name": "openSUSE-SU-2016:0720",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"
},
{
"name": "SUSE-SU-2016:0624",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html"
},
{
"name": "DSA-3500",
"tags": [
"vendor-advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3500"
},
{
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03741en_us"
},
{
"name": "SUSE-SU-2016:0631",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html"
},
{
"url": "https://www.openssl.org/news/secadv/20160301.txt"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "91787",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/91787"
},
{
"name": "SUSE-SU-2016:0617",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html"
},
{
"name": "RHSA-2016:2957",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"
},
{
"name": "GLSA-201603-15",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/201603-15"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html"
},
{
"name": "openSUSE-SU-2016:0628",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html"
},
{
"name": "1035133",
"tags": [
"vdb-entry"
],
"url": "http://www.securitytracker.com/id/1035133"
},
{
"name": "SUSE-SU-2016:0678",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html"
},
{
"name": "SUSE-SU-2016:0620",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html"
},
{
"name": "openSUSE-SU-2016:0637",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html"
},
{
"name": "openSUSE-SU-2016:0627",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00005.html"
},
{
"name": "SUSE-SU-2016:0641",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05052990"
},
{
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-0797",
"datePublished": "2016-03-03T00:00:00",
"dateReserved": "2015-12-16T00:00:00",
"dateUpdated": "2024-08-05T22:30:05.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21290 (GCVE-0-2021-21290)
Vulnerability from cvelistv5
Published
2021-02-08 20:10
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec"
},
{
"name": "[debian-lts-announce] 20210211 [SECURITY] [DLA 2555-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html"
},
{
"name": "[kafka-jira] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210301 [jira] [Assigned] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr opened a new pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to \u003e 4.1.59 due to security vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to \u003e 4.1.59 due to security vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[tinkerpop-dev] 20210316 [jira] [Created] (TINKERPOP-2535) Netty 4.1.52 flagged as medium security violation",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020%40%3Cdev.tinkerpop.apache.org%3E"
},
{
"name": "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[activemq-users] 20210715 Next ActiveMQ Artemis Release - CVE-2021-21290 vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29%40%3Cusers.activemq.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220210-0011/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.59.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty\u0027s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method \"File.createTempFile\" on unix-like systems creates a random file, but, by default will create this file with the permissions \"-rw-r--r--\". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty\u0027s \"AbstractDiskHttpData\" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own \"java.io.tmpdir\" when you start the JVM or use \"DefaultHttpDataFactory.setBaseDir(...)\" to set the directory to something that is only readable by the current user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-378",
"description": "CWE-378: Creation of Temporary File With Insecure Permissions",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-379",
"description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:23:48",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec"
},
{
"name": "[debian-lts-announce] 20210211 [SECURITY] [DLA 2555-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html"
},
{
"name": "[kafka-jira] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210301 [jira] [Assigned] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr opened a new pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to \u003e 4.1.59 due to security vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to \u003e 4.1.59 due to security vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[tinkerpop-dev] 20210316 [jira] [Created] (TINKERPOP-2535) Netty 4.1.52 flagged as medium security violation",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020%40%3Cdev.tinkerpop.apache.org%3E"
},
{
"name": "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[activemq-users] 20210715 Next ActiveMQ Artemis Release - CVE-2021-21290 vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29%40%3Cusers.activemq.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220210-0011/"
}
],
"source": {
"advisory": "GHSA-5mcr-gq6c-3hq2",
"discovery": "UNKNOWN"
},
"title": "Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21290",
"STATE": "PUBLIC",
"TITLE": "Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "netty",
"version": {
"version_data": [
{
"version_value": "\u003c 4.1.59.Final"
}
]
}
}
]
},
"vendor_name": "netty"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty\u0027s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method \"File.createTempFile\" on unix-like systems creates a random file, but, by default will create this file with the permissions \"-rw-r--r--\". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty\u0027s \"AbstractDiskHttpData\" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own \"java.io.tmpdir\" when you start the JVM or use \"DefaultHttpDataFactory.setBaseDir(...)\" to set the directory to something that is only readable by the current user."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-378: Creation of Temporary File With Insecure Permissions"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2",
"refsource": "CONFIRM",
"url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2"
},
{
"name": "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec",
"refsource": "MISC",
"url": "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec"
},
{
"name": "[debian-lts-announce] 20210211 [SECURITY] [DLA 2555-1] netty security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html"
},
{
"name": "[kafka-jira] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210301 [jira] [Assigned] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr opened a new pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214@%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f@%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to \u003e 4.1.59 due to security vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to \u003e 4.1.59 due to security vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[tinkerpop-dev] 20210316 [jira] [Created] (TINKERPOP-2535) Netty 4.1.52 flagged as medium security violation",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020@%3Cdev.tinkerpop.apache.org%3E"
},
{
"name": "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "DSA-4885",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[activemq-users] 20210715 Next ActiveMQ Artemis Release - CVE-2021-21290 vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29@%3Cusers.activemq.apache.org%3E"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220210-0011/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220210-0011/"
}
]
},
"source": {
"advisory": "GHSA-5mcr-gq6c-3hq2",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21290",
"datePublished": "2021-02-08T20:10:16",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11023 (GCVE-0-2020-11023)
Vulnerability from cvelistv5
Published
2020-04-29 00:00
Modified
2025-07-30 01:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-23T21:07:47.681Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/github/advisory-database/blob/99afa6fdeaf5d1d23e1021ff915a5e5dbc82c1f1/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json#L20-L37"
},
{
"name": "DSA-4693",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4693"
},
{
"name": "FEDORA-2020-36d2db5f51",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jquery.com/upgrade-guide/3.5/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200511-0006/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.drupal.org/sa-core-2020-002"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released"
},
{
"name": "openSUSE-SU-2020:1060",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html"
},
{
"name": "GLSA-202007-03",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202007-03"
},
{
"name": "openSUSE-SU-2020:1106",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html"
},
{
"name": "[hive-issues] 20200813 [jira] [Assigned] (HIVE-24039) update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-dev] 20200813 [jira] [Created] (HIVE-24039) update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248%40%3Cdev.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200813 [jira] [Updated] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-gitbox] 20200813 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c%40%3Cgitbox.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200902 [jira] [Work started] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200902 [jira] [Commented] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200902 [jira] [Assigned] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200902 [jira] [Comment Edited] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200904 [jira] [Assigned] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-gitbox] 20200911 [GitHub] [hive] rajkrrsingh closed pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72%40%3Cgitbox.hive.apache.org%3E"
},
{
"name": "[hive-gitbox] 20200911 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61%40%3Cgitbox.hive.apache.org%3E"
},
{
"name": "[hive-gitbox] 20200912 [GitHub] [hive] rajkrrsingh closed pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93%40%3Cgitbox.hive.apache.org%3E"
},
{
"name": "[hive-gitbox] 20200912 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac%40%3Cgitbox.hive.apache.org%3E"
},
{
"name": "FEDORA-2020-fbb94073a1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/"
},
{
"name": "FEDORA-2020-0b32a59b54",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/"
},
{
"name": "[hive-issues] 20200915 [jira] [Resolved] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-commits] 20200915 [hive] branch master updated: HIVE-24039 : Update jquery version to mitigate CVE-2020-11023 (#1403)",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9%40%3Ccommits.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200915 [jira] [Work logged] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-gitbox] 20200915 [GitHub] [hive] kgyrtkirk merged pull request #1403: HIVE-24039 : Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c%40%3Cgitbox.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200915 [jira] [Updated] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb%40%3Cissues.hive.apache.org%3E"
},
{
"name": "FEDORA-2020-fe94df8c34",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/"
},
{
"name": "[nifi-commits] 20200930 svn commit: r1882168 - /nifi/site/trunk/security.html",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "[flink-issues] 20201105 [jira] [Created] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20201105 [jira] [Created] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E"
},
{
"name": "openSUSE-SU-2020:1888",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html"
},
{
"name": "[flink-issues] 20201129 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[felix-dev] 20201208 [jira] [Created] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330%40%3Cdev.felix.apache.org%3E"
},
{
"name": "[felix-dev] 20201208 [jira] [Updated] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16%40%3Cdev.felix.apache.org%3E"
},
{
"name": "[felix-dev] 20201208 [GitHub] [felix-dev] cziegeler merged pull request #64: FELIX-6366 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef%40%3Cdev.felix.apache.org%3E"
},
{
"name": "[felix-dev] 20201208 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #64: FELIX-6366 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6%40%3Cdev.felix.apache.org%3E"
},
{
"name": "[felix-dev] 20201208 [jira] [Commented] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e%40%3Cdev.felix.apache.org%3E"
},
{
"name": "[felix-dev] 20201208 [jira] [Assigned] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817%40%3Cdev.felix.apache.org%3E"
},
{
"name": "[felix-commits] 20201208 [felix-dev] branch master updated: FELIX-6366 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023 (#64)",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c%40%3Ccommits.felix.apache.org%3E"
},
{
"name": "[felix-dev] 20201208 [jira] [Updated] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.5.0 is vulnerable to CVE-2020-11023",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494%40%3Cdev.felix.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "[flink-issues] 20210209 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210209 [jira] [Comment Edited] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210326 [SECURITY] [DLA 2608-1] jquery security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html"
},
{
"name": "[flink-issues] 20210422 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210422 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210429 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210429 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2021-10"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2021-02"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[flink-issues] 20211031 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-11023",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T18:07:17.892570Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-01-23",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11023"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T01:45:42.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2025-01-23T00:00:00+00:00",
"value": "CVE-2020-11023 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jQuery",
"vendor": "jquery",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.3, \u003c 3.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing \u003coption\u003e elements from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-31T02:06:42.262Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "DSA-4693",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4693"
},
{
"name": "FEDORA-2020-36d2db5f51",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"url": "https://jquery.com/upgrade-guide/3.5/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20200511-0006/"
},
{
"url": "https://www.drupal.org/sa-core-2020-002"
},
{
"url": "https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6"
},
{
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released"
},
{
"name": "openSUSE-SU-2020:1060",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html"
},
{
"name": "GLSA-202007-03",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202007-03"
},
{
"name": "openSUSE-SU-2020:1106",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html"
},
{
"name": "[hive-issues] 20200813 [jira] [Assigned] (HIVE-24039) update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-dev] 20200813 [jira] [Created] (HIVE-24039) update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248%40%3Cdev.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200813 [jira] [Updated] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-gitbox] 20200813 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c%40%3Cgitbox.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200902 [jira] [Work started] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200902 [jira] [Commented] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200902 [jira] [Assigned] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200902 [jira] [Comment Edited] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200904 [jira] [Assigned] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-gitbox] 20200911 [GitHub] [hive] rajkrrsingh closed pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72%40%3Cgitbox.hive.apache.org%3E"
},
{
"name": "[hive-gitbox] 20200911 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61%40%3Cgitbox.hive.apache.org%3E"
},
{
"name": "[hive-gitbox] 20200912 [GitHub] [hive] rajkrrsingh closed pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93%40%3Cgitbox.hive.apache.org%3E"
},
{
"name": "[hive-gitbox] 20200912 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac%40%3Cgitbox.hive.apache.org%3E"
},
{
"name": "FEDORA-2020-fbb94073a1",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/"
},
{
"name": "FEDORA-2020-0b32a59b54",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/"
},
{
"name": "[hive-issues] 20200915 [jira] [Resolved] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-commits] 20200915 [hive] branch master updated: HIVE-24039 : Update jquery version to mitigate CVE-2020-11023 (#1403)",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9%40%3Ccommits.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200915 [jira] [Work logged] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-gitbox] 20200915 [GitHub] [hive] kgyrtkirk merged pull request #1403: HIVE-24039 : Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c%40%3Cgitbox.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20200915 [jira] [Updated] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb%40%3Cissues.hive.apache.org%3E"
},
{
"name": "FEDORA-2020-fe94df8c34",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/"
},
{
"name": "[nifi-commits] 20200930 svn commit: r1882168 - /nifi/site/trunk/security.html",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "[flink-issues] 20201105 [jira] [Created] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20201105 [jira] [Created] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E"
},
{
"name": "openSUSE-SU-2020:1888",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html"
},
{
"name": "[flink-issues] 20201129 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[felix-dev] 20201208 [jira] [Created] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330%40%3Cdev.felix.apache.org%3E"
},
{
"name": "[felix-dev] 20201208 [jira] [Updated] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16%40%3Cdev.felix.apache.org%3E"
},
{
"name": "[felix-dev] 20201208 [GitHub] [felix-dev] cziegeler merged pull request #64: FELIX-6366 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef%40%3Cdev.felix.apache.org%3E"
},
{
"name": "[felix-dev] 20201208 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #64: FELIX-6366 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6%40%3Cdev.felix.apache.org%3E"
},
{
"name": "[felix-dev] 20201208 [jira] [Commented] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e%40%3Cdev.felix.apache.org%3E"
},
{
"name": "[felix-dev] 20201208 [jira] [Assigned] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817%40%3Cdev.felix.apache.org%3E"
},
{
"name": "[felix-commits] 20201208 [felix-dev] branch master updated: FELIX-6366 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023 (#64)",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c%40%3Ccommits.felix.apache.org%3E"
},
{
"name": "[felix-dev] 20201208 [jira] [Updated] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.5.0 is vulnerable to CVE-2020-11023",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494%40%3Cdev.felix.apache.org%3E"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "[flink-issues] 20210209 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210209 [jira] [Comment Edited] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210326 [SECURITY] [DLA 2608-1] jquery security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html"
},
{
"name": "[flink-issues] 20210422 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210422 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210429 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210429 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E"
},
{
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"url": "https://www.tenable.com/security/tns-2021-10"
},
{
"url": "https://www.tenable.com/security/tns-2021-02"
},
{
"url": "http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html"
},
{
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[flink-issues] 20211031 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
}
],
"source": {
"advisory": "GHSA-jpcq-cgw6-v4j6",
"discovery": "UNKNOWN"
},
"title": "Potential XSS vulnerability in jQuery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11023",
"datePublished": "2020-04-29T00:00:00.000Z",
"dateReserved": "2020-03-30T00:00:00.000Z",
"dateUpdated": "2025-07-30T01:45:42.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-0799 (GCVE-0-2016-0799)
Vulnerability from cvelistv5
Published
2016-03-03 00:00
Modified
2024-08-05 22:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:30:05.134Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html"
},
{
"name": "83755",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/83755"
},
{
"name": "FEDORA-2016-2802690366",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178358.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05131085"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667"
},
{
"name": "RHSA-2016:2073",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2073.html"
},
{
"name": "FEDORA-2016-e6807b3394",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178817.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"
},
{
"name": "HPSBMU03575",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=146108058503441\u0026w=2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017"
},
{
"name": "openSUSE-SU-2016:0638",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"
},
{
"name": "FreeBSD-SA-16:12",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc"
},
{
"name": "openSUSE-SU-2016:1239",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00015.html"
},
{
"name": "SUSE-SU-2016:0621",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05135617"
},
{
"name": "openSUSE-SU-2016:0640",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html"
},
{
"name": "HPSBGN03569",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=145983526810210\u0026w=2"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380"
},
{
"name": "USN-2914-1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2914-1"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150736"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "SUSE-SU-2016:1057",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05126404"
},
{
"name": "openSUSE-SU-2016:1241",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://openssl.org/news/secadv/20160301.txt"
},
{
"name": "20160302 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05086877"
},
{
"name": "openSUSE-SU-2016:0720",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"
},
{
"name": "SUSE-SU-2016:0624",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05141441"
},
{
"name": "DSA-3500",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3500"
},
{
"name": "RHSA-2016:0996",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0996.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03741en_us"
},
{
"name": "SUSE-SU-2016:0631",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openssl.org/news/secadv/20160301.txt"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "91787",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91787"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=578b956fe741bf8e84055547b1e83c28dd902c73"
},
{
"name": "SUSE-SU-2016:0617",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html"
},
{
"name": "RHSA-2016:2957",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"
},
{
"name": "GLSA-201603-15",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201603-15"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05068681"
},
{
"name": "openSUSE-SU-2016:0628",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html"
},
{
"name": "1035133",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1035133"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150800"
},
{
"name": "RHSA-2016:0722",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0722.html"
},
{
"name": "SUSE-SU-2016:0678",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html"
},
{
"name": "SUSE-SU-2016:0620",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html"
},
{
"name": "openSUSE-SU-2016:0637",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html"
},
{
"name": "SUSE-SU-2016:0641",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html"
},
{
"name": "83755",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/83755"
},
{
"name": "FEDORA-2016-2802690366",
"tags": [
"vendor-advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178358.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05131085"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667"
},
{
"name": "RHSA-2016:2073",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2073.html"
},
{
"name": "FEDORA-2016-e6807b3394",
"tags": [
"vendor-advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178817.html"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"
},
{
"name": "HPSBMU03575",
"tags": [
"vendor-advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=146108058503441\u0026w=2"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017"
},
{
"name": "openSUSE-SU-2016:0638",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"
},
{
"name": "FreeBSD-SA-16:12",
"tags": [
"vendor-advisory"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc"
},
{
"name": "openSUSE-SU-2016:1239",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00015.html"
},
{
"name": "SUSE-SU-2016:0621",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05135617"
},
{
"name": "openSUSE-SU-2016:0640",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html"
},
{
"name": "HPSBGN03569",
"tags": [
"vendor-advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=145983526810210\u0026w=2"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380"
},
{
"name": "USN-2914-1",
"tags": [
"vendor-advisory"
],
"url": "http://www.ubuntu.com/usn/USN-2914-1"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150736"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "SUSE-SU-2016:1057",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html"
},
{
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05126404"
},
{
"name": "openSUSE-SU-2016:1241",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00017.html"
},
{
"url": "http://openssl.org/news/secadv/20160301.txt"
},
{
"name": "20160302 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016",
"tags": [
"vendor-advisory"
],
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05086877"
},
{
"name": "openSUSE-SU-2016:0720",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"
},
{
"name": "SUSE-SU-2016:0624",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05141441"
},
{
"name": "DSA-3500",
"tags": [
"vendor-advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3500"
},
{
"name": "RHSA-2016:0996",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0996.html"
},
{
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03741en_us"
},
{
"name": "SUSE-SU-2016:0631",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html"
},
{
"url": "https://www.openssl.org/news/secadv/20160301.txt"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "91787",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/91787"
},
{
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=578b956fe741bf8e84055547b1e83c28dd902c73"
},
{
"name": "SUSE-SU-2016:0617",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html"
},
{
"name": "RHSA-2016:2957",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"
},
{
"name": "GLSA-201603-15",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/201603-15"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05068681"
},
{
"name": "openSUSE-SU-2016:0628",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html"
},
{
"name": "1035133",
"tags": [
"vdb-entry"
],
"url": "http://www.securitytracker.com/id/1035133"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150800"
},
{
"name": "RHSA-2016:0722",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0722.html"
},
{
"name": "SUSE-SU-2016:0678",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html"
},
{
"name": "SUSE-SU-2016:0620",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html"
},
{
"name": "openSUSE-SU-2016:0637",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html"
},
{
"name": "SUSE-SU-2016:0641",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html"
},
{
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-0799",
"datePublished": "2016-03-03T00:00:00",
"dateReserved": "2015-12-16T00:00:00",
"dateUpdated": "2024-08-05T22:30:05.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21295 (GCVE-0-2021-21295)
Vulnerability from cvelistv5
Published
2021-03-09 18:35
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Summary
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| netty | io.netty:netty-codec-http2 |
Version: < 4.1.60.Final |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.344Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Netflix/zuul/pull/980"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"
},
{
"name": "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295 (#48)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8%40%3Ccommits.hbase.apache.org%3E"
},
{
"name": "[hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3%40%3Cdev.jackrabbit.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210604-0003/"
},
{
"name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "io.netty:netty-codec-http2",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.60.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel\u0027s pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:23:53",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Netflix/zuul/pull/980"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"
},
{
"name": "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295 (#48)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8%40%3Ccommits.hbase.apache.org%3E"
},
{
"name": "[hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3%40%3Cdev.jackrabbit.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210604-0003/"
},
{
"name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E"
}
],
"source": {
"advisory": "GHSA-wm47-8v5p-wjpj",
"discovery": "UNKNOWN"
},
"title": "Possible request smuggling in HTTP/2 due missing validation",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21295",
"STATE": "PUBLIC",
"TITLE": "Possible request smuggling in HTTP/2 due missing validation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "io.netty:netty-codec-http2",
"version": {
"version_data": [
{
"version_value": "\u003c 4.1.60.Final"
}
]
}
}
]
},
"vendor_name": "netty"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel\u0027s pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj",
"refsource": "CONFIRM",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
},
{
"name": "https://github.com/Netflix/zuul/pull/980",
"refsource": "MISC",
"url": "https://github.com/Netflix/zuul/pull/980"
},
{
"name": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4",
"refsource": "MISC",
"url": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"
},
{
"name": "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E"
},
{
"name": "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295 (#48)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8@%3Ccommits.hbase.apache.org%3E"
},
{
"name": "[hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd@%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969@%3Cjira.kafka.apache.org%3E"
},
{
"name": "DSA-4885",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E"
},
{
"name": "[jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3@%3Cdev.jackrabbit.apache.org%3E"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210604-0003/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210604-0003/"
},
{
"name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E"
}
]
},
"source": {
"advisory": "GHSA-wm47-8v5p-wjpj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21295",
"datePublished": "2021-03-09T18:35:19",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2764 (GCVE-0-2022-2764)
Vulnerability from cvelistv5
Published
2022-09-01 00:00
Modified
2024-08-03 00:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undertow",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "undertow 2.x"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-2764",
"datePublished": "2022-09-01T00:00:00",
"dateReserved": "2022-08-11T00:00:00",
"dateUpdated": "2024-08-03T00:46:04.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-1624 (GCVE-0-2013-1624)
Vulnerability from cvelistv5
Published
2013-02-08 19:00
Modified
2024-08-06 15:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:04:49.485Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf"
},
{
"name": "[oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2013/02/05/24"
},
{
"name": "RHSA-2014:0371",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0371.html"
},
{
"name": "57719",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57719"
},
{
"name": "57716",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57716"
},
{
"name": "RHSA-2014:0372",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0372.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-10T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf"
},
{
"name": "[oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2013/02/05/24"
},
{
"name": "RHSA-2014:0371",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0371.html"
},
{
"name": "57719",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57719"
},
{
"name": "57716",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57716"
},
{
"name": "RHSA-2014:0372",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0372.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-1624",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf",
"refsource": "MISC",
"url": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf"
},
{
"name": "[oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2013/02/05/24"
},
{
"name": "RHSA-2014:0371",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0371.html"
},
{
"name": "57719",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57719"
},
{
"name": "57716",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57716"
},
{
"name": "RHSA-2014:0372",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0372.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-1624",
"datePublished": "2013-02-08T19:00:00",
"dateReserved": "2013-02-05T00:00:00",
"dateUpdated": "2024-08-06T15:04:49.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20445 (GCVE-0-2019-20445)
Vulnerability from cvelistv5
Published
2020-01-29 20:33
Modified
2024-08-05 02:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:10.039Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/issues/9861"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "RHSA-2020:0497",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0497"
},
{
"name": "[cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"
},
{
"name": "RHSA-2020:0601",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0601"
},
{
"name": "RHSA-2020:0606",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0606"
},
{
"name": "RHSA-2020:0605",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0605"
},
{
"name": "RHSA-2020:0567",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0567"
},
{
"name": "[spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d%40%3Creviews.spark.apache.org%3E"
},
{
"name": "RHSA-2020:0806",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0806"
},
{
"name": "RHSA-2020:0811",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0811"
},
{
"name": "RHSA-2020:0804",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0804"
},
{
"name": "RHSA-2020:0805",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0805"
},
{
"name": "[geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74%40%3Cissues.flume.apache.org%3E"
},
{
"name": "[flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663%40%3Cissues.flume.apache.org%3E"
},
{
"name": "[flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2%40%3Cissues.flume.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E"
},
{
"name": "USN-4532-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4532-1/"
},
{
"name": "FEDORA-2020-66b5f85ccc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"
},
{
"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-24T10:06:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/issues/9861"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "RHSA-2020:0497",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0497"
},
{
"name": "[cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"
},
{
"name": "RHSA-2020:0601",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0601"
},
{
"name": "RHSA-2020:0606",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0606"
},
{
"name": "RHSA-2020:0605",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0605"
},
{
"name": "RHSA-2020:0567",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0567"
},
{
"name": "[spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d%40%3Creviews.spark.apache.org%3E"
},
{
"name": "RHSA-2020:0806",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0806"
},
{
"name": "RHSA-2020:0811",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0811"
},
{
"name": "RHSA-2020:0804",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0804"
},
{
"name": "RHSA-2020:0805",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0805"
},
{
"name": "[geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74%40%3Cissues.flume.apache.org%3E"
},
{
"name": "[flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663%40%3Cissues.flume.apache.org%3E"
},
{
"name": "[flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2%40%3Cissues.flume.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E"
},
{
"name": "USN-4532-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4532-1/"
},
{
"name": "FEDORA-2020-66b5f85ccc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"
},
{
"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20445",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final",
"refsource": "MISC",
"url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final"
},
{
"name": "https://github.com/netty/netty/issues/9861",
"refsource": "MISC",
"url": "https://github.com/netty/netty/issues/9861"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "RHSA-2020:0497",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0497"
},
{
"name": "[cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"
},
{
"name": "RHSA-2020:0601",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0601"
},
{
"name": "RHSA-2020:0606",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0606"
},
{
"name": "RHSA-2020:0605",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0605"
},
{
"name": "RHSA-2020:0567",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0567"
},
{
"name": "[spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d@%3Creviews.spark.apache.org%3E"
},
{
"name": "RHSA-2020:0806",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0806"
},
{
"name": "RHSA-2020:0811",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0811"
},
{
"name": "RHSA-2020:0804",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0804"
},
{
"name": "RHSA-2020:0805",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0805"
},
{
"name": "[geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E"
},
{
"name": "[flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74@%3Cissues.flume.apache.org%3E"
},
{
"name": "[flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663@%3Cissues.flume.apache.org%3E"
},
{
"name": "[flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2@%3Cissues.flume.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E"
},
{
"name": "USN-4532-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4532-1/"
},
{
"name": "FEDORA-2020-66b5f85ccc",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"
},
{
"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "DSA-4885",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E"
},
{
"name": "[spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20445",
"datePublished": "2020-01-29T20:33:03",
"dateReserved": "2020-01-29T00:00:00",
"dateUpdated": "2024-08-05T02:39:10.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16869 (GCVE-0-2019-16869)
Vulnerability from cvelistv5
Published
2019-09-26 15:28
Modified
2025-07-07 16:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.659Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/issues/9571"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final"
},
{
"name": "[zookeeper-dev] 20190930 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/e39931d7cdd17241e69a0a09a89d99d7435bcc59afee8a9628d67769%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty with CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/6e1e34c0d5635a987d595df9e532edac212307243bb1b49eead6d55b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2494a2ac7f66af6e4646a4937b17972a4ec7cd3c7333c66ffd6c639d%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/76540c8b0ed761bfa6c81fa28c13057f13a5448aed079d656f6a3c79%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/9128111213b7b734ffc85db08d8f789b00a85a7f241b708e55debbd0%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20190930 [SECURITY] [DLA 1941-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00035.html"
},
{
"name": "[zookeeper-issues] 20190930 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/d3eb0dbea75ef5c400bd49dfa1901ad50be606cca3cb29e0d01b6a54%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20191001 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/3e6d7aae1cca10257e3caf2d69b22f74c875f12a1314155af422569d%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20191001 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/37ed432b8eb35d8bd757f53783ec3e334bd51f514534432bea7f1c3d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20191002 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/bdf7a5e597346a75d2d884ca48c767525e35137ad59d8f10b8fc943c%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20191003 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/380f6d2730603a2cd6b0a8bea9bcb21a86c199147e77e448c5f7390b%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20191003 [zookeeper] branch master updated: ZOOKEEPER-3563: Update Netty to address CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/cf5aa087632ead838f8ac3a42e9837684e7afe6e0fcb7704e0c73bc0%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20191003 [zookeeper] branch branch-3.5.6 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/cbf6e6a04cb37e9320ad20e437df63beeab1755fc0761918ed5c5a6e%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20191003 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2e1cf538b502713c2c42ffa46d81f4688edb5676eb55bd9fc4b4fed7%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20191008 [jira] [Resolved] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/a0f77c73af32cbe4ff0968bfcbbe80ae6361f3dccdd46f3177547266%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20191008 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b2cd51795f938632c6f60a4c59d9e587fbacd7f7d0e0a3684850a30f%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[tinkerpop-commits] 20191022 [tinkerpop] branch tp34 updated: Bump to Netty 4.1.42 fixes CVE-2019-16869 - CTR",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/e192fe8797c192679759ffa6b15e4d0806546945a41d8ebfbc6ee3ac%40%3Ccommits.tinkerpop.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/d14f721e0099b914daebe29bca199fde85d8354253be9d6d3d46507a%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15418) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 for Cassendra 2.2.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/f6c5ebfb018787c764f000362d59e4b231c0a36b6253aa866de8c64e%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "RHSA-2019:3892",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
},
{
"name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "RHSA-2019:3901",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3901"
},
{
"name": "[olingo-dev] 20191206 [jira] [Updated] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/6063699b87b501ecca8dd3b0e82251bfc85f29363a9b46ac5ace80cf%40%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191206 [jira] [Created] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/d7d530599dc7813056c712213e367b68cdf56fb5c9b73f864870bc4c%40%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191206 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/af6e9c2d716868606523857a4cd7a5ee506e6d1710f5fb0d567ec030%40%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191206 [jira] [Assigned] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/19fed892608db1efe5a5ce14372137669ff639df0205323959af7de3%40%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191206 [jira] [Resolved] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b264fa5801e87698e9f43f2b5585fbc5ebdc26c6f4aad861b258fb69%40%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191209 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b3dda6399a0ea2b647624b899fd330fca81834e41b13e3e11e1002d8%40%3Cdev.olingo.apache.org%3E"
},
{
"name": "[spark-issues] 20191219 [jira] [Updated] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ee6faea9e542c0b90afd70297a9daa203e20d41aa2ac7fca6703662f%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191219 [jira] [Created] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/860acce024d79837e963a51a42bab2cef8e8d017aad2b455ecd1dcf0%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191219 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/0acadfb96176768caac79b404110df62d14d30aa9d53b6dbdb1407ac%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Resolved] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/51923a9ba513b2e816e02a9d1fd8aa6f12e3e4e99bbd9dc884bccbbe%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Issue Comment Deleted] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/681493a2f9b63f5b468f741d88d1aa51b2cfcf7a1c5b74ea8c4343fb%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Comment Edited] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/799eb85d67cbddc1851a3e63a07b55e95b2f44f1685225d38570ce89%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/64b10f49c68333aaecf00348c5670fe182e49fd60d45c4a3ab241f8b%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Reopened] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b3ddeebbfaf8a288d7de8ab2611cf2609ab76b9809f0633248546b7c%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[olingo-dev] 20191227 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/35961d1ae00849974353a932b4fef12ebce074541552eceefa04f1fd%40%3Cdev.olingo.apache.org%3E"
},
{
"name": "DSA-4597",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4597"
},
{
"name": "20200105 [SECURITY] [DSA 4597-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2020/Jan/6"
},
{
"name": "RHSA-2020:0164",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0164"
},
{
"name": "RHSA-2020:0159",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0159"
},
{
"name": "RHSA-2020:0160",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0160"
},
{
"name": "RHSA-2020:0161",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0161"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "RHSA-2020:0445",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0445"
},
{
"name": "[cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"
},
{
"name": "[hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4%40%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9%40%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6%40%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E"
},
{
"name": "USN-4532-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4532-1/"
},
{
"name": "[camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[rocketmq-dev] 20201224 [GitHub] [rocketmq] crazywen opened a new pull request #2517: fix CVE-2019-16869, CVE-2018-8020",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r831e0548fad736a98140d0b3b7dc575af0c50faea0b266434ba813cc%40%3Cdev.rocketmq.apache.org%3E"
},
{
"name": "[rocketmq-dev] 20201224 [GitHub] [rocketmq] coveralls commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcddf723a4b4117f8ed6042e9ac25e8c5110a617bab77694b61b14833%40%3Cdev.rocketmq.apache.org%3E"
},
{
"name": "[rocketmq-dev] 20201224 [GitHub] [rocketmq] codecov-io commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb25b42f666d2cac5e6e6b3f771faf60d1f1aa58073dcdd8db14edf8a%40%3Cdev.rocketmq.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210924 [jira] [Commented] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3225f7dfe6b8a37e800ecb8e31abd7ac6c4312dbd3223dd8139c37bb%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210924 [jira] [Updated] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r73c400ab66d79821dec9e3472f0e2c048d528672bdb0f8bf44d7cb1f%40%3Ccommits.cassandra.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a \"Transfer-Encoding : chunked\" line), which leads to HTTP request smuggling."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T16:57:29.928Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/netty/netty/issues/9571"
},
{
"url": "https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final"
},
{
"name": "[zookeeper-dev] 20190930 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/e39931d7cdd17241e69a0a09a89d99d7435bcc59afee8a9628d67769@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty with CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/6e1e34c0d5635a987d595df9e532edac212307243bb1b49eead6d55b@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/2494a2ac7f66af6e4646a4937b17972a4ec7cd3c7333c66ffd6c639d@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/76540c8b0ed761bfa6c81fa28c13057f13a5448aed079d656f6a3c79@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/9128111213b7b734ffc85db08d8f789b00a85a7f241b708e55debbd0@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20190930 [SECURITY] [DLA 1941-1] netty security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00035.html"
},
{
"name": "[zookeeper-issues] 20190930 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/d3eb0dbea75ef5c400bd49dfa1901ad50be606cca3cb29e0d01b6a54@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20191001 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/3e6d7aae1cca10257e3caf2d69b22f74c875f12a1314155af422569d@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20191001 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/37ed432b8eb35d8bd757f53783ec3e334bd51f514534432bea7f1c3d@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20191002 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/bdf7a5e597346a75d2d884ca48c767525e35137ad59d8f10b8fc943c@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20191003 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/380f6d2730603a2cd6b0a8bea9bcb21a86c199147e77e448c5f7390b@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20191003 [zookeeper] branch master updated: ZOOKEEPER-3563: Update Netty to address CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/cf5aa087632ead838f8ac3a42e9837684e7afe6e0fcb7704e0c73bc0@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20191003 [zookeeper] branch branch-3.5.6 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/cbf6e6a04cb37e9320ad20e437df63beeab1755fc0761918ed5c5a6e@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20191003 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/2e1cf538b502713c2c42ffa46d81f4688edb5676eb55bd9fc4b4fed7@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20191008 [jira] [Resolved] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/a0f77c73af32cbe4ff0968bfcbbe80ae6361f3dccdd46f3177547266@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20191008 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/b2cd51795f938632c6f60a4c59d9e587fbacd7f7d0e0a3684850a30f@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
},
{
"name": "[tinkerpop-commits] 20191022 [tinkerpop] branch tp34 updated: Bump to Netty 4.1.42 fixes CVE-2019-16869 - CTR",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/e192fe8797c192679759ffa6b15e4d0806546945a41d8ebfbc6ee3ac@%3Ccommits.tinkerpop.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/d14f721e0099b914daebe29bca199fde85d8354253be9d6d3d46507a@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15418) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 for Cassendra 2.2.5",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/f6c5ebfb018787c764f000362d59e4b231c0a36b6253aa866de8c64e@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "RHSA-2019:3892",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
},
{
"name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"
},
{
"name": "RHSA-2019:3901",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3901"
},
{
"name": "[olingo-dev] 20191206 [jira] [Updated] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/6063699b87b501ecca8dd3b0e82251bfc85f29363a9b46ac5ace80cf@%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191206 [jira] [Created] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/d7d530599dc7813056c712213e367b68cdf56fb5c9b73f864870bc4c@%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191206 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/af6e9c2d716868606523857a4cd7a5ee506e6d1710f5fb0d567ec030@%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191206 [jira] [Assigned] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/19fed892608db1efe5a5ce14372137669ff639df0205323959af7de3@%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191206 [jira] [Resolved] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/b264fa5801e87698e9f43f2b5585fbc5ebdc26c6f4aad861b258fb69@%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191209 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/b3dda6399a0ea2b647624b899fd330fca81834e41b13e3e11e1002d8@%3Cdev.olingo.apache.org%3E"
},
{
"name": "[spark-issues] 20191219 [jira] [Updated] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/ee6faea9e542c0b90afd70297a9daa203e20d41aa2ac7fca6703662f@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191219 [jira] [Created] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/860acce024d79837e963a51a42bab2cef8e8d017aad2b455ecd1dcf0@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191219 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/0acadfb96176768caac79b404110df62d14d30aa9d53b6dbdb1407ac@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Resolved] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/51923a9ba513b2e816e02a9d1fd8aa6f12e3e4e99bbd9dc884bccbbe@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Issue Comment Deleted] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/681493a2f9b63f5b468f741d88d1aa51b2cfcf7a1c5b74ea8c4343fb@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Comment Edited] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/799eb85d67cbddc1851a3e63a07b55e95b2f44f1685225d38570ce89@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/64b10f49c68333aaecf00348c5670fe182e49fd60d45c4a3ab241f8b@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Reopened] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/b3ddeebbfaf8a288d7de8ab2611cf2609ab76b9809f0633248546b7c@%3Cissues.spark.apache.org%3E"
},
{
"name": "[olingo-dev] 20191227 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/35961d1ae00849974353a932b4fef12ebce074541552eceefa04f1fd@%3Cdev.olingo.apache.org%3E"
},
{
"name": "DSA-4597",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4597"
},
{
"name": "20200105 [SECURITY] [DSA 4597-1] netty security update",
"tags": [
"mailing-list"
],
"url": "https://seclists.org/bugtraq/2020/Jan/6"
},
{
"name": "RHSA-2020:0164",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0164"
},
{
"name": "RHSA-2020:0159",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0159"
},
{
"name": "RHSA-2020:0160",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0160"
},
{
"name": "RHSA-2020:0161",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0161"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E"
},
{
"name": "RHSA-2020:0445",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0445"
},
{
"name": "[cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"
},
{
"name": "[hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E"
},
{
"name": "USN-4532-1",
"tags": [
"vendor-advisory"
],
"url": "https://usn.ubuntu.com/4532-1/"
},
{
"name": "[camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444)",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[rocketmq-dev] 20201224 [GitHub] [rocketmq] crazywen opened a new pull request #2517: fix CVE-2019-16869, CVE-2018-8020",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r831e0548fad736a98140d0b3b7dc575af0c50faea0b266434ba813cc@%3Cdev.rocketmq.apache.org%3E"
},
{
"name": "[rocketmq-dev] 20201224 [GitHub] [rocketmq] coveralls commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rcddf723a4b4117f8ed6042e9ac25e8c5110a617bab77694b61b14833@%3Cdev.rocketmq.apache.org%3E"
},
{
"name": "[rocketmq-dev] 20201224 [GitHub] [rocketmq] codecov-io commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rb25b42f666d2cac5e6e6b3f771faf60d1f1aa58073dcdd8db14edf8a@%3Cdev.rocketmq.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210924 [jira] [Commented] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r3225f7dfe6b8a37e800ecb8e31abd7ac6c4312dbd3223dd8139c37bb@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210924 [jira] [Updated] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r73c400ab66d79821dec9e3472f0e2c048d528672bdb0f8bf44d7cb1f@%3Ccommits.cassandra.apache.org%3E"
},
{
"url": "https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-16869/5.0.0.Alpha1/exploit"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16869",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a \"Transfer-Encoding : chunked\" line), which leads to HTTP request smuggling."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/netty/netty/issues/9571",
"refsource": "MISC",
"url": "https://github.com/netty/netty/issues/9571"
},
{
"name": "https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final",
"refsource": "MISC",
"url": "https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final"
},
{
"name": "[zookeeper-dev] 20190930 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/e39931d7cdd17241e69a0a09a89d99d7435bcc59afee8a9628d67769@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty with CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/6e1e34c0d5635a987d595df9e532edac212307243bb1b49eead6d55b@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2494a2ac7f66af6e4646a4937b17972a4ec7cd3c7333c66ffd6c639d@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/76540c8b0ed761bfa6c81fa28c13057f13a5448aed079d656f6a3c79@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/9128111213b7b734ffc85db08d8f789b00a85a7f241b708e55debbd0@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20190930 [SECURITY] [DLA 1941-1] netty security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00035.html"
},
{
"name": "[zookeeper-issues] 20190930 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/d3eb0dbea75ef5c400bd49dfa1901ad50be606cca3cb29e0d01b6a54@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20191001 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/3e6d7aae1cca10257e3caf2d69b22f74c875f12a1314155af422569d@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20191001 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/37ed432b8eb35d8bd757f53783ec3e334bd51f514534432bea7f1c3d@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20191002 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/bdf7a5e597346a75d2d884ca48c767525e35137ad59d8f10b8fc943c@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20191003 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/380f6d2730603a2cd6b0a8bea9bcb21a86c199147e77e448c5f7390b@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20191003 [zookeeper] branch master updated: ZOOKEEPER-3563: Update Netty to address CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/cf5aa087632ead838f8ac3a42e9837684e7afe6e0fcb7704e0c73bc0@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20191003 [zookeeper] branch branch-3.5.6 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/cbf6e6a04cb37e9320ad20e437df63beeab1755fc0761918ed5c5a6e@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20191003 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/2e1cf538b502713c2c42ffa46d81f4688edb5676eb55bd9fc4b4fed7@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20191008 [jira] [Resolved] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/a0f77c73af32cbe4ff0968bfcbbe80ae6361f3dccdd46f3177547266@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20191008 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b2cd51795f938632c6f60a4c59d9e587fbacd7f7d0e0a3684850a30f@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
},
{
"name": "[tinkerpop-commits] 20191022 [tinkerpop] branch tp34 updated: Bump to Netty 4.1.42 fixes CVE-2019-16869 - CTR",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/e192fe8797c192679759ffa6b15e4d0806546945a41d8ebfbc6ee3ac@%3Ccommits.tinkerpop.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/d14f721e0099b914daebe29bca199fde85d8354253be9d6d3d46507a@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15418) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 for Cassendra 2.2.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/f6c5ebfb018787c764f000362d59e4b231c0a36b6253aa866de8c64e@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "RHSA-2019:3892",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
},
{
"name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"
},
{
"name": "RHSA-2019:3901",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3901"
},
{
"name": "[olingo-dev] 20191206 [jira] [Updated] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/6063699b87b501ecca8dd3b0e82251bfc85f29363a9b46ac5ace80cf@%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191206 [jira] [Created] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/d7d530599dc7813056c712213e367b68cdf56fb5c9b73f864870bc4c@%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191206 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/af6e9c2d716868606523857a4cd7a5ee506e6d1710f5fb0d567ec030@%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191206 [jira] [Assigned] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/19fed892608db1efe5a5ce14372137669ff639df0205323959af7de3@%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191206 [jira] [Resolved] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b264fa5801e87698e9f43f2b5585fbc5ebdc26c6f4aad861b258fb69@%3Cdev.olingo.apache.org%3E"
},
{
"name": "[olingo-dev] 20191209 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b3dda6399a0ea2b647624b899fd330fca81834e41b13e3e11e1002d8@%3Cdev.olingo.apache.org%3E"
},
{
"name": "[spark-issues] 20191219 [jira] [Updated] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ee6faea9e542c0b90afd70297a9daa203e20d41aa2ac7fca6703662f@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191219 [jira] [Created] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/860acce024d79837e963a51a42bab2cef8e8d017aad2b455ecd1dcf0@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191219 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/0acadfb96176768caac79b404110df62d14d30aa9d53b6dbdb1407ac@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Resolved] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/51923a9ba513b2e816e02a9d1fd8aa6f12e3e4e99bbd9dc884bccbbe@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Issue Comment Deleted] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/681493a2f9b63f5b468f741d88d1aa51b2cfcf7a1c5b74ea8c4343fb@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Comment Edited] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/799eb85d67cbddc1851a3e63a07b55e95b2f44f1685225d38570ce89@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/64b10f49c68333aaecf00348c5670fe182e49fd60d45c4a3ab241f8b@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20191220 [jira] [Reopened] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b3ddeebbfaf8a288d7de8ab2611cf2609ab76b9809f0633248546b7c@%3Cissues.spark.apache.org%3E"
},
{
"name": "[olingo-dev] 20191227 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/35961d1ae00849974353a932b4fef12ebce074541552eceefa04f1fd@%3Cdev.olingo.apache.org%3E"
},
{
"name": "DSA-4597",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4597"
},
{
"name": "20200105 [SECURITY] [DSA 4597-1] netty security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2020/Jan/6"
},
{
"name": "RHSA-2020:0164",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0164"
},
{
"name": "RHSA-2020:0159",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0159"
},
{
"name": "RHSA-2020:0160",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0160"
},
{
"name": "RHSA-2020:0161",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0161"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E"
},
{
"name": "RHSA-2020:0445",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0445"
},
{
"name": "[cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"
},
{
"name": "[hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E"
},
{
"name": "USN-4532-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4532-1/"
},
{
"name": "[camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[rocketmq-dev] 20201224 [GitHub] [rocketmq] crazywen opened a new pull request #2517: fix CVE-2019-16869, CVE-2018-8020",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r831e0548fad736a98140d0b3b7dc575af0c50faea0b266434ba813cc@%3Cdev.rocketmq.apache.org%3E"
},
{
"name": "[rocketmq-dev] 20201224 [GitHub] [rocketmq] coveralls commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcddf723a4b4117f8ed6042e9ac25e8c5110a617bab77694b61b14833@%3Cdev.rocketmq.apache.org%3E"
},
{
"name": "[rocketmq-dev] 20201224 [GitHub] [rocketmq] codecov-io commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb25b42f666d2cac5e6e6b3f771faf60d1f1aa58073dcdd8db14edf8a@%3Cdev.rocketmq.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210924 [jira] [Commented] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3225f7dfe6b8a37e800ecb8e31abd7ac6c4312dbd3223dd8139c37bb@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210924 [jira] [Updated] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r73c400ab66d79821dec9e3472f0e2c048d528672bdb0f8bf44d7cb1f@%3Ccommits.cassandra.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16869",
"datePublished": "2019-09-26T15:28:25.000Z",
"dateReserved": "2019-09-25T00:00:00.000Z",
"dateUpdated": "2025-07-07T16:57:29.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22696 (GCVE-0-2021-22696)
Vulnerability from cvelistv5
Published
2021-04-02 10:05
Modified
2025-02-13 16:27
Severity ?
VLAI Severity ?
EPSS score ?
Summary
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.
References
| ► | URL | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CXF |
Version: unspecified < 3.4.3 Version: unspecified < 3.3.10 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:51:07.452Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cxf.apache.org/security-advisories.data/CVE-2021-22696.txt.asc"
},
{
"name": "[cxf-dev] 20210402 CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914%40%3Cdev.cxf.apache.org%3E"
},
{
"name": "[oss-security] 20210402 CVE-2021-22696: Apache CXF: OAuth 2 authorization service vulnerable to DDos attacks",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/04/02/2"
},
{
"name": "[cxf-users] 20210402 CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914%40%3Cusers.cxf.apache.org%3E"
},
{
"name": "[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E"
},
{
"name": "[announce] 20210402 [Apache CXF] CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6445001cc5f9a2bb1e6316993753306e054bdd1d702656b7cbe59045%40%3Cannounce.apache.org%3E"
},
{
"name": "[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache CXF",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.4.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "3.3.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a \"request\" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the \"request_uri\" parameter. CXF was not validating the \"request_uri\" parameter (apart from ensuring it uses \"https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-03T18:51:32.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cxf.apache.org/security-advisories.data/CVE-2021-22696.txt.asc"
},
{
"name": "[cxf-dev] 20210402 CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914%40%3Cdev.cxf.apache.org%3E"
},
{
"name": "[oss-security] 20210402 CVE-2021-22696: Apache CXF: OAuth 2 authorization service vulnerable to DDos attacks",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/04/02/2"
},
{
"name": "[cxf-users] 20210402 CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914%40%3Cusers.cxf.apache.org%3E"
},
{
"name": "[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E"
},
{
"name": "[announce] 20210402 [Apache CXF] CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6445001cc5f9a2bb1e6316993753306e054bdd1d702656b7cbe59045%40%3Cannounce.apache.org%3E"
},
{
"name": "[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OAuth 2 authorization service vulnerable to DDos attacks",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-22696",
"STATE": "PUBLIC",
"TITLE": "OAuth 2 authorization service vulnerable to DDos attacks"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache CXF",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.4.3"
},
{
"version_affected": "\u003c",
"version_value": "3.3.10"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a \"request\" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the \"request_uri\" parameter. CXF was not validating the \"request_uri\" parameter (apart from ensuring it uses \"https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cxf.apache.org/security-advisories.data/CVE-2021-22696.txt.asc",
"refsource": "MISC",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2021-22696.txt.asc"
},
{
"name": "[cxf-dev] 20210402 CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914@%3Cdev.cxf.apache.org%3E"
},
{
"name": "[oss-security] 20210402 CVE-2021-22696: Apache CXF: OAuth 2 authorization service vulnerable to DDos attacks",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/04/02/2"
},
{
"name": "[cxf-users] 20210402 CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8651c06212c56294a1c0ea61a5ad7790c06502209c03f05c0c7c9914@%3Cusers.cxf.apache.org%3E"
},
{
"name": "[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E"
},
{
"name": "[announce] 20210402 [Apache CXF] CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6445001cc5f9a2bb1e6316993753306e054bdd1d702656b7cbe59045@%3Cannounce.apache.org%3E"
},
{
"name": "[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-22696",
"datePublished": "2021-04-02T10:05:14.000Z",
"dateReserved": "2021-01-06T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:45.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10683 (GCVE-0-2020-10683)
Vulnerability from cvelistv5
Published
2020-05-01 18:55
Modified
2024-08-04 11:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:11.156Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2020:0719",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dom4j/dom4j/releases/tag/version-2.1.3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200518-0002/"
},
{
"name": "USN-4575-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4575-1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dom4j/dom4j/issues/87"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dom4j/dom4j/commits/version-2.0.3"
},
{
"name": "[velocity-dev] 20201203 Use of external DTDs - CVE-2020-10683",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E"
},
{
"name": "[velocity-dev] 20201203 Re: Use of external DTDs - CVE-2020-10683",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-04-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:13:36",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "openSUSE-SU-2020:0719",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dom4j/dom4j/releases/tag/version-2.1.3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200518-0002/"
},
{
"name": "USN-4575-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4575-1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dom4j/dom4j/issues/87"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dom4j/dom4j/commits/version-2.0.3"
},
{
"name": "[velocity-dev] 20201203 Use of external DTDs - CVE-2020-10683",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E"
},
{
"name": "[velocity-dev] 20201203 Re: Use of external DTDs - CVE-2020-10683",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-10683",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2020:0719",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html",
"refsource": "MISC",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235"
},
{
"name": "https://github.com/dom4j/dom4j/releases/tag/version-2.1.3",
"refsource": "CONFIRM",
"url": "https://github.com/dom4j/dom4j/releases/tag/version-2.1.3"
},
{
"name": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658",
"refsource": "CONFIRM",
"url": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200518-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200518-0002/"
},
{
"name": "USN-4575-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4575-1/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://github.com/dom4j/dom4j/issues/87",
"refsource": "MISC",
"url": "https://github.com/dom4j/dom4j/issues/87"
},
{
"name": "https://github.com/dom4j/dom4j/commits/version-2.0.3",
"refsource": "MISC",
"url": "https://github.com/dom4j/dom4j/commits/version-2.0.3"
},
{
"name": "[velocity-dev] 20201203 Use of external DTDs - CVE-2020-10683",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E"
},
{
"name": "[velocity-dev] 20201203 Re: Use of external DTDs - CVE-2020-10683",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-10683",
"datePublished": "2020-05-01T18:55:25",
"dateReserved": "2020-03-20T00:00:00",
"dateUpdated": "2024-08-04T11:06:11.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3690 (GCVE-0-2021-3690)
Vulnerability from cvelistv5
Published
2022-08-23 15:50
Modified
2024-08-03 17:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - - Uncontrolled Resource Consumption
Summary
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.redhat.com/browse/UNDERTOW-1935"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-3690"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undertow",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 2.2.10.Final, 2.0.40.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 - Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T15:50:35",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.redhat.com/browse/UNDERTOW-1935"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-3690"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-3690",
"datePublished": "2022-08-23T15:50:35",
"dateReserved": "2021-08-09T00:00:00",
"dateUpdated": "2024-08-03T17:01:08.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40152 (GCVE-0-2022-40152)
Vulnerability from cvelistv5
Published
2022-09-16 10:00
Modified
2025-04-21 13:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/x-stream/xstream/issues/304"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40152",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T13:39:21.316042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T13:49:26.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Woodstox",
"vendor": "xstream",
"versions": [
{
"lessThan": "6.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "5.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-08-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-25T00:00:00.000Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://github.com/x-stream/xstream/issues/304"
},
{
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Stack Buffer Overflow in Woodstox",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2022-40152",
"datePublished": "2022-09-16T10:00:22.101Z",
"dateReserved": "2022-09-07T00:00:00.000Z",
"dateUpdated": "2025-04-21T13:49:26.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-42003 (GCVE-0-2022-42003)
Vulnerability from cvelistv5
Published
2022-10-02 00:00
Modified
2024-08-03 12:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:39.107Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3590"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020"
},
{
"name": "GLSA-202210-21",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-21"
},
{
"name": "DSA-5283",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5283"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221124-0004/"
},
{
"name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-20T09:33:08.256001",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/FasterXML/jackson-databind/issues/3590"
},
{
"url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33"
},
{
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020"
},
{
"name": "GLSA-202210-21",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-21"
},
{
"name": "DSA-5283",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5283"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221124-0004/"
},
{
"name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42003",
"datePublished": "2022-10-02T00:00:00",
"dateReserved": "2022-10-02T00:00:00",
"dateUpdated": "2024-08-03T12:56:39.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-46877 (GCVE-0-2021-46877)
Vulnerability from cvelistv5
Published
2023-03-18 00:00
Modified
2025-02-26 19:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:17:42.837Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3328"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-46877",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-26T15:58:50.704463Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-26T19:02:21.440Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-18T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw"
},
{
"url": "https://github.com/FasterXML/jackson-databind/issues/3328"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-46877",
"datePublished": "2023-03-18T00:00:00.000Z",
"dateReserved": "2023-03-18T00:00:00.000Z",
"dateUpdated": "2025-02-26T19:02:21.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2053 (GCVE-0-2022-2053)
Vulnerability from cvelistv5
Published
2022-08-05 15:24
Modified
2024-08-03 00:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in "All workers are in error state" and mod_cluster responds "503 Service Unavailable" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the "retry" timeout passes. However, luckily, mod_proxy_balancer has "forcerecovery" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of a balancer are in error state.). So, unlike mod_cluster, mod_proxy_balancer does not result in responding "503 Service Unavailable". An attacker could use this behavior to send a malicious request and trigger server errors, resulting in DoS (denial of service). This flaw was fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.066Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2095862\u0026comment#0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.redhat.com/browse/UNDERTOW-2133"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Undertow",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow\u0027s AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in \"All workers are in error state\" and mod_cluster responds \"503 Service Unavailable\" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the \"retry\" timeout passes. However, luckily, mod_proxy_balancer has \"forcerecovery\" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of a balancer are in error state.). So, unlike mod_cluster, mod_proxy_balancer does not result in responding \"503 Service Unavailable\". An attacker could use this behavior to send a malicious request and trigger server errors, resulting in DoS (denial of service). This flaw was fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-05T15:24:26",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2095862\u0026comment#0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.redhat.com/browse/UNDERTOW-2133"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-2053",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Undertow",
"version": {
"version_data": [
{
"version_value": "Fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow\u0027s AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in \"All workers are in error state\" and mod_cluster responds \"503 Service Unavailable\" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the \"retry\" timeout passes. However, luckily, mod_proxy_balancer has \"forcerecovery\" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of a balancer are in error state.). So, unlike mod_cluster, mod_proxy_balancer does not result in responding \"503 Service Unavailable\". An attacker could use this behavior to send a malicious request and trigger server errors, resulting in DoS (denial of service). This flaw was fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2095862\u0026comment#0",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2095862\u0026comment#0"
},
{
"name": "https://issues.redhat.com/browse/UNDERTOW-2133",
"refsource": "MISC",
"url": "https://issues.redhat.com/browse/UNDERTOW-2133"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-2053",
"datePublished": "2022-08-05T15:24:27",
"dateReserved": "2022-06-10T00:00:00",
"dateUpdated": "2024-08-03T00:24:44.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3223 (GCVE-0-2023-3223)
Vulnerability from cvelistv5
Published
2023-09-27 13:54
Modified
2024-08-02 06:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Summary
A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Red Hat | Red Hat Fuse 7.12.1 |
cpe:/a:redhat:jboss_fuse:7 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-13T20:07:40.554787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-13T20:07:46.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:48:07.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2023:4505",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4505"
},
{
"name": "RHSA-2023:4506",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4506"
},
{
"name": "RHSA-2023:4507",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4507"
},
{
"name": "RHSA-2023:4509",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4509"
},
{
"name": "RHSA-2023:4918",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4918"
},
{
"name": "RHSA-2023:4919",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4919"
},
{
"name": "RHSA-2023:4920",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4920"
},
{
"name": "RHSA-2023:4921",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4921"
},
{
"name": "RHSA-2023:4924",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4924"
},
{
"name": "RHSA-2023:7247",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7247"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-3223"
},
{
"name": "RHBZ#2209689",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209689"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231027-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
],
"defaultStatus": "unaffected",
"packageName": "undertow",
"product": "Red Hat Fuse 7.12.1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
],
"defaultStatus": "unaffected",
"packageName": "undertow",
"product": "Red Hat JBoss Enterprise Application Platform 7.1.0",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.2.25-3.SP3_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.2.25-3.SP3_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.2.25-3.SP3_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6.5"
],
"defaultStatus": "unaffected",
"packageName": "undertow",
"product": "Red Hat Single Sign-On 7.6.5",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
],
"defaultStatus": "affected",
"packageName": "rh-sso7-keycloak",
"product": "Red Hat Single Sign-On 7.6 for RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:18.0.9-1.redhat_00001.1.el7sso",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
],
"defaultStatus": "affected",
"packageName": "rh-sso7-keycloak",
"product": "Red Hat Single Sign-On 7.6 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:18.0.9-1.redhat_00001.1.el8sso",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
],
"defaultStatus": "affected",
"packageName": "rh-sso7-keycloak",
"product": "Red Hat Single Sign-On 7.6 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:18.0.9-1.redhat_00001.1.el9sso",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:rhosemc:1.0::el8"
],
"defaultStatus": "affected",
"packageName": "rh-sso-7/sso76-openshift-rhel8",
"product": "RHEL-8 based Middleware Containers",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "7.6-27",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:quarkus:2"
],
"defaultStatus": "unaffected",
"packageName": "io.quarkus/quarkus-undertow",
"product": "Red Hat build of Quarkus",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
],
"defaultStatus": "unaffected",
"packageName": "undertow",
"product": "Red Hat Data Grid 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_brms_platform:7"
],
"defaultStatus": "affected",
"packageName": "undertow",
"product": "Red Hat Decision Manager 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:integration:1"
],
"defaultStatus": "affected",
"packageName": "undertow",
"product": "Red Hat Integration Camel K",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:service_registry:2"
],
"defaultStatus": "affected",
"packageName": "undertow",
"product": "Red Hat Integration Service Registry",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:7"
],
"defaultStatus": "unknown",
"packageName": "undertow",
"product": "Red Hat JBoss Data Grid 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"defaultStatus": "unaffected",
"packageName": "undertow",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_fuse:6"
],
"defaultStatus": "unknown",
"packageName": "undertow",
"product": "Red Hat JBoss Fuse 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack-optools:13"
],
"defaultStatus": "unknown",
"packageName": "undertow",
"product": "Red Hat OpenStack Platform 13 (Queens) Operational Tools",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
],
"defaultStatus": "affected",
"packageName": "undertow",
"product": "Red Hat Process Automation 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_application_runtimes:1.0"
],
"defaultStatus": "unaffected",
"packageName": "undertow",
"product": "Red Hat support for Spring Boot",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Keke Lian \u0026 Haoran Zhao (SecSys Lab) for reporting this issue."
}
],
"datePublic": "2023-08-07T00:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it\u0027s possible to bypass the limit by setting the file name in the request to null."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T15:32:37.244Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2023:4505",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4505"
},
{
"name": "RHSA-2023:4506",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4506"
},
{
"name": "RHSA-2023:4507",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4507"
},
{
"name": "RHSA-2023:4509",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4509"
},
{
"name": "RHSA-2023:4918",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4918"
},
{
"name": "RHSA-2023:4919",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4919"
},
{
"name": "RHSA-2023:4920",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4920"
},
{
"name": "RHSA-2023:4921",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4921"
},
{
"name": "RHSA-2023:4924",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4924"
},
{
"name": "RHSA-2023:7247",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7247"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-3223"
},
{
"name": "RHBZ#2209689",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209689"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231027-0004/"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-24T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-08-07T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Undertow: outofmemoryerror due to @multipartconfig handling",
"x_redhatCweChain": "CWE-789: Memory Allocation with Excessive Size Value"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-3223",
"datePublished": "2023-09-27T13:54:44.682Z",
"dateReserved": "2023-06-13T15:50:40.922Z",
"dateUpdated": "2024-08-02T06:48:07.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36518 (GCVE-0-2020-36518)
Vulnerability from cvelistv5
Published
2022-03-11 00:00
Modified
2025-05-01 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:30:08.127Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2816"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "[debian-lts-announce] 20220502 [SECURITY] [DLA 2990-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220506-0004/"
},
{
"name": "DSA-5283",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5283"
},
{
"name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-36518",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": ""
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T03:55:10.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-27T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/FasterXML/jackson-databind/issues/2816"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "[debian-lts-announce] 20220502 [SECURITY] [DLA 2990-1] jackson-databind security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220506-0004/"
},
{
"name": "DSA-5283",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5283"
},
{
"name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36518",
"datePublished": "2022-03-11T00:00:00.000Z",
"dateReserved": "2022-03-11T00:00:00.000Z",
"dateUpdated": "2025-05-01T03:55:10.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-3731 (GCVE-0-2017-3731)
Vulnerability from cvelistv5
Published
2017-05-04 19:00
Modified
2024-09-16 22:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- out-of-bounds read
Summary
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenSSL | OpenSSL |
Version: openssl-1.1.0 Version: openssl-1.1.0a Version: openssl-1.1.0b Version: openssl-1.1.0c Version: openssl-1.0.2 Version: openssl-1.0.2a Version: openssl-1.0.2b Version: openssl-1.0.2c Version: openssl-1.0.2d Version: openssl-1.0.2e Version: openssl-1.0.2f Version: openssl-1.0.2g Version: openssl-1.0.2h Version: openssl-1.0.2i Version: openssl-1.0.2j |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:39:40.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2018:2185",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2185"
},
{
"name": "RHSA-2018:2186",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2186"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20171019-0002/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"name": "95813",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95813"
},
{
"name": "RHSA-2017:0286",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0286.html"
},
{
"name": "FreeBSD-SA-17:02",
"tags": [
"vendor-advisory",
"x_refsource_FREEBSD",
"x_transferred"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.asc"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openssl.org/news/secadv/20170126.txt"
},
{
"name": "1037717",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1037717"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2017-04"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://source.android.com/security/bulletin/pixel/2017-11-01"
},
{
"name": "GLSA-201702-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201702-07"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"name": "DSA-3773",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3773"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03838en_us"
},
{
"name": "RHSA-2018:2187",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2187"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/openssl/openssl/commit/00d965474b22b54e4275232bc71ee0c699c5cd21"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2017-3731"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"status": "affected",
"version": "openssl-1.1.0"
},
{
"status": "affected",
"version": "openssl-1.1.0a"
},
{
"status": "affected",
"version": "openssl-1.1.0b"
},
{
"status": "affected",
"version": "openssl-1.1.0c"
},
{
"status": "affected",
"version": "openssl-1.0.2"
},
{
"status": "affected",
"version": "openssl-1.0.2a"
},
{
"status": "affected",
"version": "openssl-1.0.2b"
},
{
"status": "affected",
"version": "openssl-1.0.2c"
},
{
"status": "affected",
"version": "openssl-1.0.2d"
},
{
"status": "affected",
"version": "openssl-1.0.2e"
},
{
"status": "affected",
"version": "openssl-1.0.2f"
},
{
"status": "affected",
"version": "openssl-1.0.2g"
},
{
"status": "affected",
"version": "openssl-1.0.2h"
},
{
"status": "affected",
"version": "openssl-1.0.2i"
},
{
"status": "affected",
"version": "openssl-1.0.2j"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Robert \u015awi\u0119cki of Google"
}
],
"datePublic": "2017-01-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k."
}
],
"metrics": [
{
"other": {
"content": {
"lang": "eng",
"url": "https://www.openssl.org/policies/secpolicy.html#Moderate",
"value": "Moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "out-of-bounds read",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-17T16:03:45",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "RHSA-2018:2185",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2185"
},
{
"name": "RHSA-2018:2186",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2186"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20171019-0002/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"name": "95813",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95813"
},
{
"name": "RHSA-2017:0286",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0286.html"
},
{
"name": "FreeBSD-SA-17:02",
"tags": [
"vendor-advisory",
"x_refsource_FREEBSD"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.asc"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openssl.org/news/secadv/20170126.txt"
},
{
"name": "1037717",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1037717"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2017-04"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://source.android.com/security/bulletin/pixel/2017-11-01"
},
{
"name": "GLSA-201702-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201702-07"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"name": "DSA-3773",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3773"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03838en_us"
},
{
"name": "RHSA-2018:2187",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2187"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openssl/openssl/commit/00d965474b22b54e4275232bc71ee0c699c5cd21"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.paloaltonetworks.com/CVE-2017-3731"
}
],
"title": "Truncated packet could crash via OOB read",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "openssl-security@openssl.org",
"DATE_PUBLIC": "2017-01-26",
"ID": "CVE-2017-3731",
"STATE": "PUBLIC",
"TITLE": "Truncated packet could crash via OOB read"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenSSL",
"version": {
"version_data": [
{
"version_value": "openssl-1.1.0"
},
{
"version_value": "openssl-1.1.0a"
},
{
"version_value": "openssl-1.1.0b"
},
{
"version_value": "openssl-1.1.0c"
},
{
"version_value": "openssl-1.0.2"
},
{
"version_value": "openssl-1.0.2a"
},
{
"version_value": "openssl-1.0.2b"
},
{
"version_value": "openssl-1.0.2c"
},
{
"version_value": "openssl-1.0.2d"
},
{
"version_value": "openssl-1.0.2e"
},
{
"version_value": "openssl-1.0.2f"
},
{
"version_value": "openssl-1.0.2g"
},
{
"version_value": "openssl-1.0.2h"
},
{
"version_value": "openssl-1.0.2i"
},
{
"version_value": "openssl-1.0.2j"
}
]
}
}
]
},
"vendor_name": "OpenSSL"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Robert \u015awi\u0119cki of Google"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k."
}
]
},
"impact": [
{
"lang": "eng",
"url": "https://www.openssl.org/policies/secpolicy.html#Moderate",
"value": "Moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "out-of-bounds read"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2018:2185",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2185"
},
{
"name": "RHSA-2018:2186",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2186"
},
{
"name": "https://security.netapp.com/advisory/ntap-20171019-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20171019-0002/"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"name": "95813",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95813"
},
{
"name": "RHSA-2017:0286",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0286.html"
},
{
"name": "FreeBSD-SA-17:02",
"refsource": "FREEBSD",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.asc"
},
{
"name": "https://www.openssl.org/news/secadv/20170126.txt",
"refsource": "CONFIRM",
"url": "https://www.openssl.org/news/secadv/20170126.txt"
},
{
"name": "1037717",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1037717"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"name": "https://www.tenable.com/security/tns-2017-04",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2017-04"
},
{
"name": "https://source.android.com/security/bulletin/pixel/2017-11-01",
"refsource": "CONFIRM",
"url": "https://source.android.com/security/bulletin/pixel/2017-11-01"
},
{
"name": "GLSA-201702-07",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201702-07"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"name": "DSA-3773",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3773"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03838en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03838en_us"
},
{
"name": "RHSA-2018:2187",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2187"
},
{
"name": "https://github.com/openssl/openssl/commit/00d965474b22b54e4275232bc71ee0c699c5cd21",
"refsource": "MISC",
"url": "https://github.com/openssl/openssl/commit/00d965474b22b54e4275232bc71ee0c699c5cd21"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"name": "https://security.paloaltonetworks.com/CVE-2017-3731",
"refsource": "CONFIRM",
"url": "https://security.paloaltonetworks.com/CVE-2017-3731"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2017-3731",
"datePublished": "2017-05-04T19:00:00Z",
"dateReserved": "2016-12-16T00:00:00",
"dateUpdated": "2024-09-16T22:40:54.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46364 (GCVE-0-2022-46364)
Vulnerability from cvelistv5
Published
2022-12-13 16:20
Modified
2025-04-22 02:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CXF |
Version: 0 < 3.5.5 Version: 0 < 3.4.10 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:31:46.249Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-46364",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T02:48:12.377210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T02:48:36.211Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CXF",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.5.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.4.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "thanat0s from Beijin Qihoo 360 adlab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A SSRF vulnerability in parsing the\u0026nbsp;href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.\u0026nbsp;"
}
],
"value": "A SSRF vulnerability in parsing the\u00a0href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.\u00a0"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T16:20:26.765Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache CXF SSRF Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-46364",
"datePublished": "2022-12-13T16:20:26.765Z",
"dateReserved": "2022-12-02T08:07:46.894Z",
"dateUpdated": "2025-04-22T02:48:36.211Z",
"requesterUserId": "cf81350d-439c-4450-9d42-0a054bb6b6c9",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1319 (GCVE-0-2022-1319)
Vulnerability from cvelistv5
Published
2022-08-31 00:00
Modified
2024-08-03 00:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-252 - - Unchecked Return Value.
Summary
A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:05.119Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.redhat.com/browse/UNDERTOW-2060"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-1319"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undertow",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 2.3.0.Final, 2.2.18.Final, 2.2.17.SP3, 2.2.17.SP4, 2.3.0.Alpha2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-252",
"description": "CWE-252 - Unchecked Return Value.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890"
},
{
"url": "https://issues.redhat.com/browse/UNDERTOW-2060"
},
{
"url": "https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b"
},
{
"url": "https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2022-1319"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-1319",
"datePublished": "2022-08-31T00:00:00",
"dateReserved": "2022-04-12T00:00:00",
"dateUpdated": "2024-08-03T00:03:05.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-3732 (GCVE-0-2017-3732)
Vulnerability from cvelistv5
Published
2017-05-04 19:00
Modified
2024-09-16 22:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- carry-propagating bug
Summary
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenSSL | OpenSSL |
Version: openssl-1.1.0 Version: openssl-1.1.0a Version: openssl-1.1.0b Version: openssl-1.1.0c Version: openssl-1.0.2 Version: openssl-1.0.2a Version: openssl-1.0.2b Version: openssl-1.0.2c Version: openssl-1.0.2d Version: openssl-1.0.2e Version: openssl-1.0.2f Version: openssl-1.0.2g Version: openssl-1.0.2h Version: openssl-1.0.2i Version: openssl-1.0.2j |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:39:40.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2018:2185",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2185"
},
{
"name": "RHSA-2018:2186",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2186"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"name": "RHSA-2018:2713",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2713"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/openssl/openssl/commit/a59b90bf491410f1f2bc4540cc21f1980fd14c5b"
},
{
"name": "FreeBSD-SA-17:02",
"tags": [
"vendor-advisory",
"x_refsource_FREEBSD",
"x_transferred"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.asc"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openssl.org/news/secadv/20170126.txt"
},
{
"name": "1037717",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1037717"
},
{
"name": "RHSA-2018:2575",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2575"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2017-04"
},
{
"name": "GLSA-201702-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201702-07"
},
{
"name": "RHSA-2018:2568",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2568"
},
{
"name": "95814",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95814"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03838en_us"
},
{
"name": "RHSA-2018:2187",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2187"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"status": "affected",
"version": "openssl-1.1.0"
},
{
"status": "affected",
"version": "openssl-1.1.0a"
},
{
"status": "affected",
"version": "openssl-1.1.0b"
},
{
"status": "affected",
"version": "openssl-1.1.0c"
},
{
"status": "affected",
"version": "openssl-1.0.2"
},
{
"status": "affected",
"version": "openssl-1.0.2a"
},
{
"status": "affected",
"version": "openssl-1.0.2b"
},
{
"status": "affected",
"version": "openssl-1.0.2c"
},
{
"status": "affected",
"version": "openssl-1.0.2d"
},
{
"status": "affected",
"version": "openssl-1.0.2e"
},
{
"status": "affected",
"version": "openssl-1.0.2f"
},
{
"status": "affected",
"version": "openssl-1.0.2g"
},
{
"status": "affected",
"version": "openssl-1.0.2h"
},
{
"status": "affected",
"version": "openssl-1.0.2i"
},
{
"status": "affected",
"version": "openssl-1.0.2j"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "OSS-Fuzz project"
}
],
"datePublic": "2017-01-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem."
}
],
"metrics": [
{
"other": {
"content": {
"lang": "eng",
"url": "https://www.openssl.org/policies/secpolicy.html#Moderate",
"value": "Moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "carry-propagating bug",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-23T19:08:15",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "RHSA-2018:2185",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2185"
},
{
"name": "RHSA-2018:2186",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2186"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"name": "RHSA-2018:2713",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2713"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openssl/openssl/commit/a59b90bf491410f1f2bc4540cc21f1980fd14c5b"
},
{
"name": "FreeBSD-SA-17:02",
"tags": [
"vendor-advisory",
"x_refsource_FREEBSD"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.asc"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openssl.org/news/secadv/20170126.txt"
},
{
"name": "1037717",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1037717"
},
{
"name": "RHSA-2018:2575",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2575"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2017-04"
},
{
"name": "GLSA-201702-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201702-07"
},
{
"name": "RHSA-2018:2568",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2568"
},
{
"name": "95814",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95814"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03838en_us"
},
{
"name": "RHSA-2018:2187",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2187"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
}
],
"title": "BN_mod_exp may produce incorrect results on x86_64",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "openssl-security@openssl.org",
"DATE_PUBLIC": "2017-01-26",
"ID": "CVE-2017-3732",
"STATE": "PUBLIC",
"TITLE": "BN_mod_exp may produce incorrect results on x86_64"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenSSL",
"version": {
"version_data": [
{
"version_value": "openssl-1.1.0"
},
{
"version_value": "openssl-1.1.0a"
},
{
"version_value": "openssl-1.1.0b"
},
{
"version_value": "openssl-1.1.0c"
},
{
"version_value": "openssl-1.0.2"
},
{
"version_value": "openssl-1.0.2a"
},
{
"version_value": "openssl-1.0.2b"
},
{
"version_value": "openssl-1.0.2c"
},
{
"version_value": "openssl-1.0.2d"
},
{
"version_value": "openssl-1.0.2e"
},
{
"version_value": "openssl-1.0.2f"
},
{
"version_value": "openssl-1.0.2g"
},
{
"version_value": "openssl-1.0.2h"
},
{
"version_value": "openssl-1.0.2i"
},
{
"version_value": "openssl-1.0.2j"
}
]
}
}
]
},
"vendor_name": "OpenSSL"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "OSS-Fuzz project"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem."
}
]
},
"impact": [
{
"lang": "eng",
"url": "https://www.openssl.org/policies/secpolicy.html#Moderate",
"value": "Moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "carry-propagating bug"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2018:2185",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2185"
},
{
"name": "RHSA-2018:2186",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2186"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"name": "RHSA-2018:2713",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2713"
},
{
"name": "https://github.com/openssl/openssl/commit/a59b90bf491410f1f2bc4540cc21f1980fd14c5b",
"refsource": "MISC",
"url": "https://github.com/openssl/openssl/commit/a59b90bf491410f1f2bc4540cc21f1980fd14c5b"
},
{
"name": "FreeBSD-SA-17:02",
"refsource": "FREEBSD",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.asc"
},
{
"name": "https://www.openssl.org/news/secadv/20170126.txt",
"refsource": "CONFIRM",
"url": "https://www.openssl.org/news/secadv/20170126.txt"
},
{
"name": "1037717",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1037717"
},
{
"name": "RHSA-2018:2575",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2575"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"name": "https://www.tenable.com/security/tns-2017-04",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2017-04"
},
{
"name": "GLSA-201702-07",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201702-07"
},
{
"name": "RHSA-2018:2568",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2568"
},
{
"name": "95814",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95814"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03838en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03838en_us"
},
{
"name": "RHSA-2018:2187",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2187"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2017-3732",
"datePublished": "2017-05-04T19:00:00Z",
"dateReserved": "2016-12-16T00:00:00",
"dateUpdated": "2024-09-16T22:08:37.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3711 (GCVE-0-2021-3711)
Vulnerability from cvelistv5
Published
2021-08-24 14:50
Modified
2024-09-16 18:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Buffer overflow
Summary
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.171Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.openssl.org/news/secadv/20210824.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46"
},
{
"name": "DSA-4963",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4963"
},
{
"name": "[tomcat-dev] 20210825 OpenSSL security announcement - do we need a Tomcat Native release?",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[oss-security] 20210825 OpenSSL SM2 Decryption Buffer Overflow (CVE-2021-3711), Read buffer overruns processing ASN.1 strings (CVE-2021-3712)",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/08/26/2"
},
{
"name": "[tomcat-dev] 20210826 Re: OpenSSL security announcement - do we need a Tomcat Native release?",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210827-0010/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2021-16"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211022-0003/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2022-02"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"name": "GLSA-202209-02",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-02"
},
{
"name": "GLSA-202210-02",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-02"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"status": "affected",
"version": "Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k)"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "John Ouyang"
}
],
"datePublic": "2021-08-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k)."
}
],
"metrics": [
{
"other": {
"content": {
"lang": "eng",
"url": "https://www.openssl.org/policies/secpolicy.html#High",
"value": "High"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Buffer overflow",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T19:07:59.573968",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"url": "https://www.openssl.org/news/secadv/20210824.txt"
},
{
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46"
},
{
"name": "DSA-4963",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4963"
},
{
"name": "[tomcat-dev] 20210825 OpenSSL security announcement - do we need a Tomcat Native release?",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[oss-security] 20210825 OpenSSL SM2 Decryption Buffer Overflow (CVE-2021-3711), Read buffer overruns processing ASN.1 strings (CVE-2021-3712)",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2021/08/26/2"
},
{
"name": "[tomcat-dev] 20210826 Re: OpenSSL security announcement - do we need a Tomcat Native release?",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E"
},
{
"url": "https://security.netapp.com/advisory/ntap-20210827-0010/"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"url": "https://www.tenable.com/security/tns-2021-16"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20211022-0003/"
},
{
"url": "https://www.tenable.com/security/tns-2022-02"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"name": "GLSA-202209-02",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202209-02"
},
{
"name": "GLSA-202210-02",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-02"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
}
],
"title": "SM2 Decryption Buffer Overflow"
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2021-3711",
"datePublished": "2021-08-24T14:50:13.114745Z",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-09-16T18:29:03.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24823 (GCVE-0-2022-24823)
Vulnerability from cvelistv5
Published
2022-05-06 12:05
Modified
2025-04-22 18:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.545Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220616-0004/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24823",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:48:11.887598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:01:57.607Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.1.76.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty\u0027s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one\u0027s own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668: Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-378",
"description": "CWE-378: Creation of Temporary File With Insecure Permissions",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-379",
"description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:52:21.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220616-0004/"
}
],
"source": {
"advisory": "GHSA-269q-hmxg-m83q",
"discovery": "UNKNOWN"
},
"title": "Local Information Disclosure Vulnerability in io.netty:netty-codec-http",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24823",
"STATE": "PUBLIC",
"TITLE": "Local Information Disclosure Vulnerability in io.netty:netty-codec-http"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "netty",
"version": {
"version_data": [
{
"version_value": "\u003c= 4.1.76.Final"
}
]
}
}
]
},
"vendor_name": "netty"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty\u0027s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one\u0027s own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-668: Exposure of Resource to Wrong Sphere"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-378: Creation of Temporary File With Insecure Permissions"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q",
"refsource": "CONFIRM",
"url": "https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q"
},
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2",
"refsource": "MISC",
"url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2"
},
{
"name": "https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1",
"refsource": "MISC",
"url": "https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220616-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220616-0004/"
}
]
},
"source": {
"advisory": "GHSA-269q-hmxg-m83q",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24823",
"datePublished": "2022-05-06T12:05:11.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:01:57.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-40690 (GCVE-0-2021-40690)
Vulnerability from cvelistv5
Published
2021-09-19 00:00
Modified
2024-08-04 02:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Santuario |
Version: XML Security for Java < 2.2.3,2.1.7 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:51:06.487Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E"
},
{
"name": "[tomee-commits] 20210922 [tomee] 02/02: Update xmlsec to 2.2.3 to mitigate CVE-2021-40690",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbdac116aef912b563da54f4c152222c0754e32fb2f785519ac5e059f%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210923 [jira] [Resolved] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d54ac378ffa7a4880c8%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210923 [jira] [Created] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210923 [jira] [Assigned] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210923 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[poi-user] 20210923 Re: CVE-2021-40690 on xmlsec jar",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raf352f95c19c0c4051af3180752cb69acbea88d0d066ab176c6170e8%40%3Cuser.poi.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210927 [SECURITY] [DLA 2767-1] libxml-security-java security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html"
},
{
"name": "[cxf-issues] 20211027 [jira] [Created] (CXF-8613) High Security issues reported with Apache Santuario library bundled in CXF 3.4.4",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59%40%3Cissues.cxf.apache.org%3E"
},
{
"name": "[tomee-commits] 20211028 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbbbac0759b12472abd0c278d32b5e0867bb21934df8e14e5e641597c%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "DSA-5010",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-5010"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230818-0002/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Santuario",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.2.3,2.1.7",
"status": "affected",
"version": "XML Security for Java",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "An Trinh, Calif."
}
],
"descriptions": [
{
"lang": "en",
"value": "All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the \"secureValidation\" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-18T13:06:19.359156",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E"
},
{
"name": "[tomee-commits] 20210922 [tomee] 02/02: Update xmlsec to 2.2.3 to mitigate CVE-2021-40690",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rbdac116aef912b563da54f4c152222c0754e32fb2f785519ac5e059f%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210923 [jira] [Resolved] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d54ac378ffa7a4880c8%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210923 [jira] [Created] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210923 [jira] [Assigned] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210923 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[poi-user] 20210923 Re: CVE-2021-40690 on xmlsec jar",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/raf352f95c19c0c4051af3180752cb69acbea88d0d066ab176c6170e8%40%3Cuser.poi.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210927 [SECURITY] [DLA 2767-1] libxml-security-java security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html"
},
{
"name": "[cxf-issues] 20211027 [jira] [Created] (CXF-8613) High Security issues reported with Apache Santuario library bundled in CXF 3.4.4",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59%40%3Cissues.cxf.apache.org%3E"
},
{
"name": "[tomee-commits] 20211028 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rbbbac0759b12472abd0c278d32b5e0867bb21934df8e14e5e641597c%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "DSA-5010",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2021/dsa-5010"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230818-0002/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Bypass of the secureValidation property",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-40690",
"datePublished": "2021-09-19T00:00:00",
"dateReserved": "2021-09-08T00:00:00",
"dateUpdated": "2024-08-04T02:51:06.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43797 (GCVE-0-2021-43797)
Vulnerability from cvelistv5
Published
2021-12-09 00:00
Modified
2024-08-04 04:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Summary
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.898Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220107-0003/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"
},
{
"name": "DSA-5316",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5316"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.1.7.0.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can\u0027t see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-12T00:00:00",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"
},
{
"url": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220107-0003/"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"
},
{
"name": "DSA-5316",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5316"
}
],
"source": {
"advisory": "GHSA-wx5j-54mm-rqqq",
"discovery": "UNKNOWN"
},
"title": "HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43797",
"datePublished": "2021-12-09T00:00:00",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-08-04T04:03:08.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-2842 (GCVE-0-2016-2842)
Vulnerability from cvelistv5
Published
2016-03-03 20:00
Modified
2024-08-05 23:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T23:32:21.333Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05131085"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667"
},
{
"name": "RHSA-2016:2073",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2073.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10152"
},
{
"name": "HPSBMU03575",
"tags": [
"vendor-advisory",
"x_refsource_HP",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=146108058503441\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05135617"
},
{
"name": "HPSBGN03569",
"tags": [
"vendor-advisory",
"x_refsource_HP",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=145983526810210\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150736"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05126404"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://openssl.org/news/secadv/20160301.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05086877"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20160321-0001/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05141441"
},
{
"name": "RHSA-2016:0996",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0996.html"
},
{
"name": "84169",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/84169"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03741en_us"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=578b956fe741bf8e84055547b1e83c28dd902c73"
},
{
"name": "RHSA-2016:2957",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05068681"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150800"
},
{
"name": "RHSA-2016:0722",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0722.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-04T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05131085"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667"
},
{
"name": "RHSA-2016:2073",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2073.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10152"
},
{
"name": "HPSBMU03575",
"tags": [
"vendor-advisory",
"x_refsource_HP"
],
"url": "http://marc.info/?l=bugtraq\u0026m=146108058503441\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05135617"
},
{
"name": "HPSBGN03569",
"tags": [
"vendor-advisory",
"x_refsource_HP"
],
"url": "http://marc.info/?l=bugtraq\u0026m=145983526810210\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150736"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05126404"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://openssl.org/news/secadv/20160301.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05086877"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20160321-0001/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05141441"
},
{
"name": "RHSA-2016:0996",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0996.html"
},
{
"name": "84169",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/84169"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03741en_us"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=578b956fe741bf8e84055547b1e83c28dd902c73"
},
{
"name": "RHSA-2016:2957",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05068681"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150800"
},
{
"name": "RHSA-2016:0722",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0722.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-2842",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05131085",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05131085"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667"
},
{
"name": "RHSA-2016:2073",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2073.html"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10152",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10152"
},
{
"name": "HPSBMU03575",
"refsource": "HP",
"url": "http://marc.info/?l=bugtraq\u0026m=146108058503441\u0026w=2"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05135617",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05135617"
},
{
"name": "HPSBGN03569",
"refsource": "HP",
"url": "http://marc.info/?l=bugtraq\u0026m=145983526810210\u0026w=2"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150736",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150736"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05126404",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05126404"
},
{
"name": "http://openssl.org/news/secadv/20160301.txt",
"refsource": "CONFIRM",
"url": "http://openssl.org/news/secadv/20160301.txt"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05086877",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05086877"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"
},
{
"name": "https://security.netapp.com/advisory/ntap-20160321-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20160321-0001/"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05141441",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05141441"
},
{
"name": "RHSA-2016:0996",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0996.html"
},
{
"name": "84169",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/84169"
},
{
"name": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03741en_us",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03741en_us"
},
{
"name": "https://git.openssl.org/?p=openssl.git;a=commit;h=578b956fe741bf8e84055547b1e83c28dd902c73",
"refsource": "CONFIRM",
"url": "https://git.openssl.org/?p=openssl.git;a=commit;h=578b956fe741bf8e84055547b1e83c28dd902c73"
},
{
"name": "RHSA-2016:2957",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05068681",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05068681"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150800",
"refsource": "CONFIRM",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150800"
},
{
"name": "RHSA-2016:0722",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0722.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-2842",
"datePublished": "2016-03-03T20:00:00",
"dateReserved": "2016-03-03T00:00:00",
"dateUpdated": "2024-08-05T23:32:21.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46908 (GCVE-0-2022-46908)
Vulnerability from cvelistv5
Published
2022-12-12 00:00
Modified
2025-05-05 16:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:47:27.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=33948588"
},
{
"tags": [
"x_transferred"
],
"url": "https://sqlite.org/forum/forumpost/07beac8056151b2f"
},
{
"tags": [
"x_transferred"
],
"url": "https://sqlite.org/src/info/cefc032473ac5ad2"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230203-0005/"
},
{
"name": "GLSA-202311-03",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-03"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-46908",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:29:30.268008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "NVD-CWE-Other",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T16:11:57.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-24T14:06:18.728Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://news.ycombinator.com/item?id=33948588"
},
{
"url": "https://sqlite.org/forum/forumpost/07beac8056151b2f"
},
{
"url": "https://sqlite.org/src/info/cefc032473ac5ad2"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230203-0005/"
},
{
"name": "GLSA-202311-03",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202311-03"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-46908",
"datePublished": "2022-12-12T00:00:00.000Z",
"dateReserved": "2022-12-12T00:00:00.000Z",
"dateUpdated": "2025-05-05T16:11:57.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20444 (GCVE-0-2019-20444)
Vulnerability from cvelistv5
Published
2020-01-29 20:33
Modified
2025-07-01 18:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:10.018Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/issues/9866"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java8 #38",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java11 #39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-master-maven-jdk11 #361",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b%40%3Cdev.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "RHSA-2020:0497",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0497"
},
{
"name": "[cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"
},
{
"name": "[hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "RHSA-2020:0601",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0601"
},
{
"name": "RHSA-2020:0606",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0606"
},
{
"name": "RHSA-2020:0605",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0605"
},
{
"name": "RHSA-2020:0567",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0567"
},
{
"name": "[hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4%40%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9%40%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6%40%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "RHSA-2020:0806",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0806"
},
{
"name": "RHSA-2020:0811",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0811"
},
{
"name": "RHSA-2020:0804",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0804"
},
{
"name": "RHSA-2020:0805",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0805"
},
{
"name": "[geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f%40%3Cdev.geode.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E"
},
{
"name": "USN-4532-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4532-1/"
},
{
"name": "FEDORA-2020-66b5f85ccc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"
},
{
"name": "[camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e%40%3Ccommits.camel.apache.org%3E"
},
{
"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an \"invalid fold.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:01:08.474Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/netty/netty/issues/9866"
},
{
"url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java8 #38",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java11 #39",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-master-maven-jdk11 #361",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b@%3Cdev.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "RHSA-2020:0497",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0497"
},
{
"name": "[cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"
},
{
"name": "[hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "RHSA-2020:0601",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0601"
},
{
"name": "RHSA-2020:0606",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0606"
},
{
"name": "RHSA-2020:0605",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0605"
},
{
"name": "RHSA-2020:0567",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0567"
},
{
"name": "[hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "RHSA-2020:0806",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0806"
},
{
"name": "RHSA-2020:0811",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0811"
},
{
"name": "RHSA-2020:0804",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0804"
},
{
"name": "RHSA-2020:0805",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0805"
},
{
"name": "[geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E"
},
{
"name": "USN-4532-1",
"tags": [
"vendor-advisory"
],
"url": "https://usn.ubuntu.com/4532-1/"
},
{
"name": "FEDORA-2020-66b5f85ccc",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"
},
{
"name": "[camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444)",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E"
},
{
"name": "[spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E"
},
{
"url": "https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-20444/5.0.0.Alpha1/exploit"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20444",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an \"invalid fold.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/netty/netty/issues/9866",
"refsource": "MISC",
"url": "https://github.com/netty/netty/issues/9866"
},
{
"name": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final",
"refsource": "MISC",
"url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java8 #38",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java11 #39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-master-maven-jdk11 #361",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "RHSA-2020:0497",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0497"
},
{
"name": "[cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html"
},
{
"name": "[debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html"
},
{
"name": "[hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "RHSA-2020:0601",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0601"
},
{
"name": "RHSA-2020:0606",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0606"
},
{
"name": "RHSA-2020:0605",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0605"
},
{
"name": "RHSA-2020:0567",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0567"
},
{
"name": "[hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "RHSA-2020:0806",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0806"
},
{
"name": "RHSA-2020:0811",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0811"
},
{
"name": "RHSA-2020:0804",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0804"
},
{
"name": "RHSA-2020:0805",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0805"
},
{
"name": "[geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E"
},
{
"name": "[geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E"
},
{
"name": "[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html"
},
{
"name": "[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html"
},
{
"name": "[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E"
},
{
"name": "USN-4532-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4532-1/"
},
{
"name": "FEDORA-2020-66b5f85ccc",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/"
},
{
"name": "[camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E"
},
{
"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "DSA-4885",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E"
},
{
"name": "[spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20444",
"datePublished": "2020-01-29T20:33:17.000Z",
"dateReserved": "2020-01-29T00:00:00.000Z",
"dateUpdated": "2025-07-01T18:01:08.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-3193 (GCVE-0-2015-3193)
Vulnerability from cvelistv5
Published
2015-12-06 00:00
Modified
2024-08-06 05:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:39:32.068Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20151204 Multiple Vulnerabilities in OpenSSL (December 2015) Affecting Cisco Products",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151204-openssl"
},
{
"tags": [
"x_transferred"
],
"url": "https://kb.isc.org/article/AA-01438"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.fuzzing-project.org/31-Fuzzing-Math-miscalculations-in-OpenSSLs-BN_mod_exp-CVE-2015-3193.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.fortiguard.com/advisory/openssl-advisory-december-2015"
},
{
"name": "SSA:2015-349-04",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2015\u0026m=slackware-security.754583"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40100"
},
{
"name": "SSA:2015-349-01",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2015\u0026m=slackware-security.539966"
},
{
"tags": [
"x_transferred"
],
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10761"
},
{
"name": "USN-2830-1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2830-1"
},
{
"name": "78705",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/78705"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "91787",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91787"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1288317"
},
{
"tags": [
"x_transferred"
],
"url": "http://openssl.org/news/secadv/20151203.txt"
},
{
"name": "1034294",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034294"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=d73cc256c8e256c32ed959456101b73ba9842f72"
},
{
"tags": [
"x_transferred"
],
"url": "http://fortiguard.com/advisory/openssl-advisory-december-2015"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05398322"
},
{
"tags": [
"x_transferred"
],
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-12-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "20151204 Multiple Vulnerabilities in OpenSSL (December 2015) Affecting Cisco Products",
"tags": [
"vendor-advisory"
],
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151204-openssl"
},
{
"url": "https://kb.isc.org/article/AA-01438"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"url": "https://blog.fuzzing-project.org/31-Fuzzing-Math-miscalculations-in-OpenSSLs-BN_mod_exp-CVE-2015-3193.html"
},
{
"url": "http://www.fortiguard.com/advisory/openssl-advisory-december-2015"
},
{
"name": "SSA:2015-349-04",
"tags": [
"vendor-advisory"
],
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2015\u0026m=slackware-security.754583"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40100"
},
{
"name": "SSA:2015-349-01",
"tags": [
"vendor-advisory"
],
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2015\u0026m=slackware-security.539966"
},
{
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10761"
},
{
"name": "USN-2830-1",
"tags": [
"vendor-advisory"
],
"url": "http://www.ubuntu.com/usn/USN-2830-1"
},
{
"name": "78705",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/78705"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "91787",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/91787"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1288317"
},
{
"url": "http://openssl.org/news/secadv/20151203.txt"
},
{
"name": "1034294",
"tags": [
"vdb-entry"
],
"url": "http://www.securitytracker.com/id/1034294"
},
{
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=d73cc256c8e256c32ed959456101b73ba9842f72"
},
{
"url": "http://fortiguard.com/advisory/openssl-advisory-december-2015"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05398322"
},
{
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-3193",
"datePublished": "2015-12-06T00:00:00",
"dateReserved": "2015-04-10T00:00:00",
"dateUpdated": "2024-08-06T05:39:32.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-42004 (GCVE-0-2022-42004)
Vulnerability from cvelistv5
Published
2022-10-02 00:00
Modified
2024-08-03 12:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:39.182Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3582"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490"
},
{
"name": "GLSA-202210-21",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-21"
},
{
"name": "DSA-5283",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5283"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221118-0008/"
},
{
"name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-27T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/FasterXML/jackson-databind/issues/3582"
},
{
"url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88"
},
{
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490"
},
{
"name": "GLSA-202210-21",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-21"
},
{
"name": "DSA-5283",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5283"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221118-0008/"
},
{
"name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42004",
"datePublished": "2022-10-02T00:00:00",
"dateReserved": "2022-10-02T00:00:00",
"dateUpdated": "2024-08-03T12:56:39.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3859 (GCVE-0-2021-3859)
Vulnerability from cvelistv5
Published
2022-08-26 00:00
Modified
2024-08-03 17:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-214 - - Invocation of Process Using Visible Sensitive Information
Summary
A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.581Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378"
},
{
"tags": [
"x_transferred"
],
"url": "https://issues.redhat.com/browse/UNDERTOW-1979"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/undertow-io/undertow/pull/1296"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-3859"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221201-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undertow",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 2.2.15.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-214",
"description": "CWE-214 - Invocation of Process Using Visible Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-02T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378"
},
{
"url": "https://issues.redhat.com/browse/UNDERTOW-1979"
},
{
"url": "https://github.com/undertow-io/undertow/pull/1296"
},
{
"url": "https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2021-3859"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221201-0004/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-3859",
"datePublished": "2022-08-26T00:00:00",
"dateReserved": "2021-10-05T00:00:00",
"dateUpdated": "2024-08-03T17:09:09.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-44483 (GCVE-0-2023-44483)
Vulnerability from cvelistv5
Published
2023-10-20 09:23
Modified
2025-02-13 17:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Summary
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Santuario |
Version: 2.2 ≤ Version: 2.3 ≤ Version: 3.0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:33.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44483",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T14:33:15.116438Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T14:36:02.225Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Santuario",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.2.6",
"status": "affected",
"version": "2.2",
"versionType": "semver"
},
{
"lessThan": "2.3.4",
"status": "affected",
"version": "2.3",
"versionType": "semver"
},
{
"lessThan": "3.0.3",
"status": "affected",
"version": "3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Apache Santuario would like to thank Max Fichtelmann for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled.\u0026nbsp;Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.\u003cbr\u003e"
}
],
"value": "All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled.\u00a0Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-20T09:25:12.008Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/5"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Santuario: Private Key disclosure in debug-log output",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-44483",
"datePublished": "2023-10-20T09:23:53.483Z",
"dateReserved": "2023-09-29T15:05:04.230Z",
"dateUpdated": "2025-02-13T17:13:41.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0482 (GCVE-0-2023-0482)
Vulnerability from cvelistv5
Published
2023-02-17 00:00
Modified
2025-03-18 16:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:10:56.348Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/resteasy/resteasy/pull/3409/commits/807d7456f2137cde8ef7c316707211bf4e542d56"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230427-0001/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-0482",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T16:02:39.109651Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-378",
"description": "CWE-378 Creation of Temporary File With Insecure Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T16:02:42.237Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RESTEasy",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in RESTEasy 4.7.8.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-378",
"description": "CWE-378",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-27T00:00:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://github.com/resteasy/resteasy/pull/3409/commits/807d7456f2137cde8ef7c316707211bf4e542d56"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230427-0001/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-0482",
"datePublished": "2023-02-17T00:00:00.000Z",
"dateReserved": "2023-01-24T00:00:00.000Z",
"dateUpdated": "2025-03-18T16:02:42.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-3194 (GCVE-0-2015-3194)
Vulnerability from cvelistv5
Published
2015-12-06 00:00
Modified
2024-08-06 05:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:39:31.986Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05131085"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667"
},
{
"name": "78623",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/78623"
},
{
"name": "20151204 Multiple Vulnerabilities in OpenSSL (December 2015) Affecting Cisco Products",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151204-openssl"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04944173"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=c394a488942387246653833359a5c94b5832674e"
},
{
"name": "openSUSE-SU-2016:1332",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00053.html"
},
{
"name": "openSUSE-SU-2015:2288",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00070.html"
},
{
"name": "RHSA-2015:2617",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2617.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.fortiguard.com/advisory/openssl-advisory-december-2015"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888"
},
{
"name": "SSA:2015-349-04",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2015\u0026m=slackware-security.754583"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1288320"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=d8541d7e9e63bf5f343af24644046c8d96498c17"
},
{
"tags": [
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40100"
},
{
"tags": [
"x_transferred"
],
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10761"
},
{
"name": "HPSBGN03536",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=145382583417444\u0026w=2"
},
{
"name": "USN-2830-1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2830-1"
},
{
"name": "openSUSE-SU-2015:2289",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00071.html"
},
{
"name": "FEDORA-2015-d87d60b9a9",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173801.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "91787",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91787"
},
{
"name": "RHSA-2016:2957",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://openssl.org/news/secadv/20151203.txt"
},
{
"name": "1034294",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034294"
},
{
"name": "openSUSE-SU-2016:0637",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://fortiguard.com/advisory/openssl-advisory-december-2015"
},
{
"tags": [
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05398322"
},
{
"name": "DSA-3413",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3413"
},
{
"name": "openSUSE-SU-2015:2318",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00087.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-12-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05131085"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667"
},
{
"name": "78623",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/78623"
},
{
"name": "20151204 Multiple Vulnerabilities in OpenSSL (December 2015) Affecting Cisco Products",
"tags": [
"vendor-advisory"
],
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151204-openssl"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04944173"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017"
},
{
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=c394a488942387246653833359a5c94b5832674e"
},
{
"name": "openSUSE-SU-2016:1332",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00053.html"
},
{
"name": "openSUSE-SU-2015:2288",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00070.html"
},
{
"name": "RHSA-2015:2617",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2617.html"
},
{
"url": "http://www.fortiguard.com/advisory/openssl-advisory-december-2015"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888"
},
{
"name": "SSA:2015-349-04",
"tags": [
"vendor-advisory"
],
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2015\u0026m=slackware-security.754583"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1288320"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=d8541d7e9e63bf5f343af24644046c8d96498c17"
},
{
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40100"
},
{
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10761"
},
{
"name": "HPSBGN03536",
"tags": [
"vendor-advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=145382583417444\u0026w=2"
},
{
"name": "USN-2830-1",
"tags": [
"vendor-advisory"
],
"url": "http://www.ubuntu.com/usn/USN-2830-1"
},
{
"name": "openSUSE-SU-2015:2289",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00071.html"
},
{
"name": "FEDORA-2015-d87d60b9a9",
"tags": [
"vendor-advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173801.html"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "91787",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/91787"
},
{
"name": "RHSA-2016:2957",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2957.html"
},
{
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html"
},
{
"url": "http://openssl.org/news/secadv/20151203.txt"
},
{
"name": "1034294",
"tags": [
"vdb-entry"
],
"url": "http://www.securitytracker.com/id/1034294"
},
{
"name": "openSUSE-SU-2016:0637",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html"
},
{
"url": "http://fortiguard.com/advisory/openssl-advisory-december-2015"
},
{
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05398322"
},
{
"name": "DSA-3413",
"tags": [
"vendor-advisory"
],
"url": "http://www.debian.org/security/2015/dsa-3413"
},
{
"name": "openSUSE-SU-2015:2318",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00087.html"
},
{
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-3194",
"datePublished": "2015-12-06T00:00:00",
"dateReserved": "2015-04-10T00:00:00",
"dateUpdated": "2024-08-06T05:39:31.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5262 (GCVE-0-2015-5262)
Vulnerability from cvelistv5
Published
2015-10-27 16:00
Modified
2024-08-06 06:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:41:09.189Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1626784"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2018-02-26/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1261538"
},
{
"name": "FEDORA-2015-15590",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167962.html"
},
{
"name": "FEDORA-2015-15589",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167999.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/HTTPCLIENT-1478"
},
{
"name": "FEDORA-2015-15588",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168030.html"
},
{
"name": "1033743",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1033743"
},
{
"name": "USN-2769-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2769-1"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "openSUSE-SU-2020:1873",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html"
},
{
"name": "openSUSE-SU-2020:1875",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-10-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-08T12:06:14",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1626784"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2018-02-26/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1261538"
},
{
"name": "FEDORA-2015-15590",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167962.html"
},
{
"name": "FEDORA-2015-15589",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167999.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/HTTPCLIENT-1478"
},
{
"name": "FEDORA-2015-15588",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168030.html"
},
{
"name": "1033743",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1033743"
},
{
"name": "USN-2769-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-2769-1"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "openSUSE-SU-2020:1873",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html"
},
{
"name": "openSUSE-SU-2020:1875",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-5262",
"datePublished": "2015-10-27T16:00:00",
"dateReserved": "2015-07-01T00:00:00",
"dateUpdated": "2024-08-06T06:41:09.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37136 (GCVE-0-2021-37136)
Vulnerability from cvelistv5
Published
2021-10-19 00:00
Modified
2024-08-04 01:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Netty project | Netty |
Version: unspecified < 4.1.68Final |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:16:02.944Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"
},
{
"name": "[tinkerpop-dev] 20211025 [jira] [Created] (TINKERPOP-2632) Netty 4.1.61 flagged with two high severity security violations",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E"
},
{
"name": "[druid-commits] 20211025 [GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211025 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211025 [GitHub] [druid] a2l007 commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211026 [GitHub] [druid] clintropolis merged pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211026 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220210-0012/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"
},
{
"name": "DSA-5316",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5316"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Netty",
"vendor": "The Netty project",
"versions": [
{
"lessThan": "4.1.68Final",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bzip2 decompression decoder function doesn\u0027t allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-12T00:00:00",
"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"shortName": "JFROG"
},
"references": [
{
"url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"
},
{
"name": "[tinkerpop-dev] 20211025 [jira] [Created] (TINKERPOP-2632) Netty 4.1.61 flagged with two high severity security violations",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E"
},
{
"name": "[druid-commits] 20211025 [GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211025 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211025 [GitHub] [druid] a2l007 commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211026 [GitHub] [druid] clintropolis merged pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20211026 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220210-0012/"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"
},
{
"name": "DSA-5316",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5316"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"assignerShortName": "JFROG",
"cveId": "CVE-2021-37136",
"datePublished": "2021-10-19T00:00:00",
"dateReserved": "2021-07-20T00:00:00",
"dateUpdated": "2024-08-04T01:16:02.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25649 (GCVE-0-2020-25649)
Vulnerability from cvelistv5
Published
2020-12-03 16:16
Modified
2024-08-04 15:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | jackson-databind |
Version: jackson-databind-2.11.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:40:36.648Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2589"
},
{
"name": "[kafka-jira] 20201205 [GitHub] [kafka] sirocchj opened a new pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[druid-commits] 20201208 [GitHub] [druid] jihoonson opened a new pull request #10655: Bump up jackson-databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[kafka-jira] 20201209 [GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201209 [GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201209 [GitHub] [kafka] sirocchj edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201209 [GitHub] [kafka] sirocchj commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201210 [GitHub] [kafka] sirocchj commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201210 [GitHub] [kafka] niteshmor edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201210 [GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201215 [GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-users] 20201215 Re: [VOTE] 2.7.0 RC5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3Cusers.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20201215 Re: [VOTE] 2.7.0 RC5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201215 [GitHub] [kafka] ijuma merged pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201215 [GitHub] [kafka] ijuma edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210105 [jira] [Created] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210105 [jira] [Updated] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210105 [jira] [Created] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[kafka-dev] 20210105 Re: [kafka-clients] Re: [VOTE] 2.6.1 RC3",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-users] 20210105 Re: [kafka-clients] Re: [VOTE] 2.6.1 RC3",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3Cusers.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210106 [jira] [Updated] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] edwin092 opened a new pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210106 [jira] [Commented] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] asfgit closed pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.5.9 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] nkalmar commented on pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210106 [zookeeper] branch master updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210116 [jira] [Commented] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[flink-issues] 20210121 [GitHub] [flink-shaded] HuangXingBo opened a new pull request #93: [FLINK-21020][jackson] Bump version to 2.12.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210122 [GitHub] [flink-shaded] HuangXingBo opened a new pull request #93: [FLINK-21020][jackson] Bump version to 2.12.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[tomee-commits] 20210127 [jira] [Created] (TOMEE-2965) CVE-2020-25649 - Update jackson databind",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "FEDORA-2021-1d8254899c",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT/"
},
{
"name": "[karaf-commits] 20210217 [GitHub] [karaf] svogt opened a new pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1%40%3Ccommits.karaf.apache.org%3E"
},
{
"name": "[karaf-commits] 20210217 [GitHub] [karaf] jbonofre merged pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb%40%3Ccommits.karaf.apache.org%3E"
},
{
"name": "[karaf-commits] 20210217 [karaf] branch master updated: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22%40%3Ccommits.karaf.apache.org%3E"
},
{
"name": "[karaf-commits] 20210217 [GitHub] [karaf] jbonofre commented on pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402%40%3Ccommits.karaf.apache.org%3E"
},
{
"name": "[hive-issues] 20210223 [jira] [Assigned] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-dev] 20210223 [jira] [Created] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1%40%3Cdev.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210223 [jira] [Updated] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210223 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210315 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210316 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[turbine-commits] 20210316 svn commit: r1887732 - in /turbine/fulcrum/trunk/json: ./ jackson/ jackson/src/test/org/apache/fulcrum/json/jackson/ jackson2/ jackson2/src/test/org/apache/fulcrum/json/jackson/ jackson2/src/test/org/apache/fulcrum/json/jackson/mixins/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386%40%3Ccommits.turbine.apache.org%3E"
},
{
"name": "[iotdb-notifications] 20210324 [jira] [Created] (IOTDB-1256) Jackson have loopholes CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8%40%3Cnotifications.iotdb.apache.org%3E"
},
{
"name": "[iotdb-reviews] 20210324 [GitHub] [iotdb] wangchao316 opened a new pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042%40%3Creviews.iotdb.apache.org%3E"
},
{
"name": "[iotdb-reviews] 20210324 [GitHub] [iotdb] wangchao316 closed pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60%40%3Creviews.iotdb.apache.org%3E"
},
{
"name": "[iotdb-commits] 20210325 [iotdb] branch master updated: [IOTDB-1256] upgrade Jackson to 2.11.0 because of loopholes CVE-2020-25649 (#2896)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07%40%3Ccommits.iotdb.apache.org%3E"
},
{
"name": "[iotdb-reviews] 20210325 [GitHub] [iotdb] jixuan1989 merged pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb%40%3Creviews.iotdb.apache.org%3E"
},
{
"name": "[hive-issues] 20210503 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210510 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210514 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[knox-dev] 20210601 [jira] [Created] (KNOX-2614) Upgrade Jackson due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb%40%3Cdev.knox.apache.org%3E"
},
{
"name": "[knox-dev] 20210601 [jira] [Updated] (KNOX-2614) Upgrade jackson-databind to 2.10.5 due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61%40%3Cdev.knox.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210108-0007/"
},
{
"name": "[spark-user] 20210621 Re: CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3%40%3Cuser.spark.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "[kafka-dev] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-users] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E"
},
{
"name": "[kafka-users] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[hive-issues] 20211012 [jira] [Resolved] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20211012 [jira] [Updated] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949%40%3Cissues.hive.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jackson-databind",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "jackson-databind-2.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:15:31",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2589"
},
{
"name": "[kafka-jira] 20201205 [GitHub] [kafka] sirocchj opened a new pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[druid-commits] 20201208 [GitHub] [druid] jihoonson opened a new pull request #10655: Bump up jackson-databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[kafka-jira] 20201209 [GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201209 [GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201209 [GitHub] [kafka] sirocchj edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201209 [GitHub] [kafka] sirocchj commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201210 [GitHub] [kafka] sirocchj commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201210 [GitHub] [kafka] niteshmor edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201210 [GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201215 [GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-users] 20201215 Re: [VOTE] 2.7.0 RC5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3Cusers.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20201215 Re: [VOTE] 2.7.0 RC5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201215 [GitHub] [kafka] ijuma merged pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201215 [GitHub] [kafka] ijuma edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210105 [jira] [Created] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210105 [jira] [Updated] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210105 [jira] [Created] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[kafka-dev] 20210105 Re: [kafka-clients] Re: [VOTE] 2.6.1 RC3",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-users] 20210105 Re: [kafka-clients] Re: [VOTE] 2.6.1 RC3",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3Cusers.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210106 [jira] [Updated] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] edwin092 opened a new pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210106 [jira] [Commented] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] asfgit closed pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.5.9 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] nkalmar commented on pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210106 [zookeeper] branch master updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210116 [jira] [Commented] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[flink-issues] 20210121 [GitHub] [flink-shaded] HuangXingBo opened a new pull request #93: [FLINK-21020][jackson] Bump version to 2.12.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210122 [GitHub] [flink-shaded] HuangXingBo opened a new pull request #93: [FLINK-21020][jackson] Bump version to 2.12.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[tomee-commits] 20210127 [jira] [Created] (TOMEE-2965) CVE-2020-25649 - Update jackson databind",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "FEDORA-2021-1d8254899c",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT/"
},
{
"name": "[karaf-commits] 20210217 [GitHub] [karaf] svogt opened a new pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1%40%3Ccommits.karaf.apache.org%3E"
},
{
"name": "[karaf-commits] 20210217 [GitHub] [karaf] jbonofre merged pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb%40%3Ccommits.karaf.apache.org%3E"
},
{
"name": "[karaf-commits] 20210217 [karaf] branch master updated: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22%40%3Ccommits.karaf.apache.org%3E"
},
{
"name": "[karaf-commits] 20210217 [GitHub] [karaf] jbonofre commented on pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402%40%3Ccommits.karaf.apache.org%3E"
},
{
"name": "[hive-issues] 20210223 [jira] [Assigned] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-dev] 20210223 [jira] [Created] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1%40%3Cdev.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210223 [jira] [Updated] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210223 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210315 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210316 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[turbine-commits] 20210316 svn commit: r1887732 - in /turbine/fulcrum/trunk/json: ./ jackson/ jackson/src/test/org/apache/fulcrum/json/jackson/ jackson2/ jackson2/src/test/org/apache/fulcrum/json/jackson/ jackson2/src/test/org/apache/fulcrum/json/jackson/mixins/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386%40%3Ccommits.turbine.apache.org%3E"
},
{
"name": "[iotdb-notifications] 20210324 [jira] [Created] (IOTDB-1256) Jackson have loopholes CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8%40%3Cnotifications.iotdb.apache.org%3E"
},
{
"name": "[iotdb-reviews] 20210324 [GitHub] [iotdb] wangchao316 opened a new pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042%40%3Creviews.iotdb.apache.org%3E"
},
{
"name": "[iotdb-reviews] 20210324 [GitHub] [iotdb] wangchao316 closed pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60%40%3Creviews.iotdb.apache.org%3E"
},
{
"name": "[iotdb-commits] 20210325 [iotdb] branch master updated: [IOTDB-1256] upgrade Jackson to 2.11.0 because of loopholes CVE-2020-25649 (#2896)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07%40%3Ccommits.iotdb.apache.org%3E"
},
{
"name": "[iotdb-reviews] 20210325 [GitHub] [iotdb] jixuan1989 merged pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb%40%3Creviews.iotdb.apache.org%3E"
},
{
"name": "[hive-issues] 20210503 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210510 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210514 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[knox-dev] 20210601 [jira] [Created] (KNOX-2614) Upgrade Jackson due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb%40%3Cdev.knox.apache.org%3E"
},
{
"name": "[knox-dev] 20210601 [jira] [Updated] (KNOX-2614) Upgrade jackson-databind to 2.10.5 due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61%40%3Cdev.knox.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83%40%3Ccommits.servicecomb.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210108-0007/"
},
{
"name": "[spark-user] 20210621 Re: CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3%40%3Cuser.spark.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "[kafka-dev] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-users] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E"
},
{
"name": "[kafka-users] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[hive-issues] 20211012 [jira] [Resolved] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc%40%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20211012 [jira] [Updated] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949%40%3Cissues.hive.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-25649",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jackson-databind",
"version": {
"version_data": [
{
"version_value": "jackson-databind-2.11.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/2589",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/2589"
},
{
"name": "[kafka-jira] 20201205 [GitHub] [kafka] sirocchj opened a new pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[druid-commits] 20201208 [GitHub] [druid] jihoonson opened a new pull request #10655: Bump up jackson-databind to 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[kafka-jira] 20201209 [GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201209 [GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201209 [GitHub] [kafka] sirocchj edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201209 [GitHub] [kafka] sirocchj commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201210 [GitHub] [kafka] sirocchj commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201210 [GitHub] [kafka] niteshmor edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201210 [GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201215 [GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-users] 20201215 Re: [VOTE] 2.7.0 RC5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cusers.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20201215 Re: [VOTE] 2.7.0 RC5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201215 [GitHub] [kafka] ijuma merged pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20201215 [GitHub] [kafka] ijuma edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210105 [jira] [Created] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210105 [jira] [Updated] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210105 [jira] [Created] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[kafka-dev] 20210105 Re: [kafka-clients] Re: [VOTE] 2.6.1 RC3",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-users] 20210105 Re: [kafka-clients] Re: [VOTE] 2.6.1 RC3",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cusers.kafka.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210106 [jira] [Updated] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] edwin092 opened a new pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210106 [jira] [Commented] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] asfgit closed pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.5.9 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] nkalmar commented on pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210106 [zookeeper] branch master updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210116 [jira] [Commented] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[flink-issues] 20210121 [GitHub] [flink-shaded] HuangXingBo opened a new pull request #93: [FLINK-21020][jackson] Bump version to 2.12.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210122 [GitHub] [flink-shaded] HuangXingBo opened a new pull request #93: [FLINK-21020][jackson] Bump version to 2.12.1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd@%3Cissues.flink.apache.org%3E"
},
{
"name": "[tomee-commits] 20210127 [jira] [Created] (TOMEE-2965) CVE-2020-25649 - Update jackson databind",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a@%3Ccommits.tomee.apache.org%3E"
},
{
"name": "FEDORA-2021-1d8254899c",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT/"
},
{
"name": "[karaf-commits] 20210217 [GitHub] [karaf] svogt opened a new pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1@%3Ccommits.karaf.apache.org%3E"
},
{
"name": "[karaf-commits] 20210217 [GitHub] [karaf] jbonofre merged pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb@%3Ccommits.karaf.apache.org%3E"
},
{
"name": "[karaf-commits] 20210217 [karaf] branch master updated: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22@%3Ccommits.karaf.apache.org%3E"
},
{
"name": "[karaf-commits] 20210217 [GitHub] [karaf] jbonofre commented on pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402@%3Ccommits.karaf.apache.org%3E"
},
{
"name": "[hive-issues] 20210223 [jira] [Assigned] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d@%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-dev] 20210223 [jira] [Created] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1@%3Cdev.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210223 [jira] [Updated] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd@%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210223 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34@%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210315 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b@%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210316 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7@%3Cissues.hive.apache.org%3E"
},
{
"name": "[turbine-commits] 20210316 svn commit: r1887732 - in /turbine/fulcrum/trunk/json: ./ jackson/ jackson/src/test/org/apache/fulcrum/json/jackson/ jackson2/ jackson2/src/test/org/apache/fulcrum/json/jackson/ jackson2/src/test/org/apache/fulcrum/json/jackson/mixins/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386@%3Ccommits.turbine.apache.org%3E"
},
{
"name": "[iotdb-notifications] 20210324 [jira] [Created] (IOTDB-1256) Jackson have loopholes CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8@%3Cnotifications.iotdb.apache.org%3E"
},
{
"name": "[iotdb-reviews] 20210324 [GitHub] [iotdb] wangchao316 opened a new pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042@%3Creviews.iotdb.apache.org%3E"
},
{
"name": "[iotdb-reviews] 20210324 [GitHub] [iotdb] wangchao316 closed pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60@%3Creviews.iotdb.apache.org%3E"
},
{
"name": "[iotdb-commits] 20210325 [iotdb] branch master updated: [IOTDB-1256] upgrade Jackson to 2.11.0 because of loopholes CVE-2020-25649 (#2896)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07@%3Ccommits.iotdb.apache.org%3E"
},
{
"name": "[iotdb-reviews] 20210325 [GitHub] [iotdb] jixuan1989 merged pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb@%3Creviews.iotdb.apache.org%3E"
},
{
"name": "[hive-issues] 20210503 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00@%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210510 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1@%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20210514 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524@%3Cissues.hive.apache.org%3E"
},
{
"name": "[knox-dev] 20210601 [jira] [Created] (KNOX-2614) Upgrade Jackson due to CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb@%3Cdev.knox.apache.org%3E"
},
{
"name": "[knox-dev] 20210601 [jira] [Updated] (KNOX-2614) Upgrade jackson-databind to 2.10.5 due to CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61@%3Cdev.knox.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@%3Ccommits.servicecomb.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@%3Ccommits.servicecomb.apache.org%3E"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210108-0007/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210108-0007/"
},
{
"name": "[spark-user] 20210621 Re: CVEs",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3@%3Cuser.spark.apache.org%3E"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "[kafka-dev] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-users] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E"
},
{
"name": "[kafka-users] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[hive-issues] 20211012 [jira] [Resolved] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc@%3Cissues.hive.apache.org%3E"
},
{
"name": "[hive-issues] 20211012 [jira] [Updated] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949@%3Cissues.hive.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-25649",
"datePublished": "2020-12-03T16:16:50",
"dateReserved": "2020-09-16T00:00:00",
"dateUpdated": "2024-08-04T15:40:36.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30468 (GCVE-0-2021-30468)
Vulnerability from cvelistv5
Published
2021-06-16 12:00
Modified
2024-08-03 22:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CXF |
Version: Apache CXF < 3.4.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:32:41.089Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://cxf.apache.org/security-advisories.data/CVE-2021-30468.txt.asc"
},
{
"name": "[cxf-users] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459%40%3Cusers.cxf.apache.org%3E"
},
{
"name": "[cxf-dev] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459%40%3Cdev.cxf.apache.org%3E"
},
{
"name": "[announce] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/06/16/2"
},
{
"name": "[tomee-commits] 20210705 [jira] [Created] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3f46ae38e4a6e80c069cdb320e0ce831b0a21a12ef0cc92c0943f34a%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210705 [jira] [Updated] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re5b2a2b77faa22684d47bd2ac6623135c615565328ff40a1ec705448%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210901 [jira] [Resolved] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rac07822057521dccf33ab5d136e0e8c599a6e2c8ac75e44ffbdc6e07%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210901 [jira] [Commented] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re9e05c6cab5f0dcc827eba4e6fcf26fa0b493e7ca84d62c867a80d03%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210913 [jira] [Commented] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra833f78b3fa577cb43558cf343859a1bf70b1c5ce2353b3877d96422%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210913 [jira] [Updated] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r54c0f1cbbb9f381dfbedb9ea5e90ecb1c0a15371f40c4b10322ac737%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210913 [jira] [Reopened] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4771084730c4cf6e59eda60b4407122c86f174eb750b24f610ba9ff4%40%3Ccommits.tomee.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210917-0002/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache CXF",
"vendor": "Apache Software Foundation",
"versions": [
{
"changes": [
{
"at": "3.3.11",
"status": "unaffected"
}
],
"lessThan": "3.4.4",
"status": "affected",
"version": "Apache CXF",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:54:48",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://cxf.apache.org/security-advisories.data/CVE-2021-30468.txt.asc"
},
{
"name": "[cxf-users] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459%40%3Cusers.cxf.apache.org%3E"
},
{
"name": "[cxf-dev] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459%40%3Cdev.cxf.apache.org%3E"
},
{
"name": "[announce] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/06/16/2"
},
{
"name": "[tomee-commits] 20210705 [jira] [Created] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3f46ae38e4a6e80c069cdb320e0ce831b0a21a12ef0cc92c0943f34a%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210705 [jira] [Updated] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re5b2a2b77faa22684d47bd2ac6623135c615565328ff40a1ec705448%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210901 [jira] [Resolved] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rac07822057521dccf33ab5d136e0e8c599a6e2c8ac75e44ffbdc6e07%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210901 [jira] [Commented] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re9e05c6cab5f0dcc827eba4e6fcf26fa0b493e7ca84d62c867a80d03%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210913 [jira] [Commented] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra833f78b3fa577cb43558cf343859a1bf70b1c5ce2353b3877d96422%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210913 [jira] [Updated] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r54c0f1cbbb9f381dfbedb9ea5e90ecb1c0a15371f40c4b10322ac737%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210913 [jira] [Reopened] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4771084730c4cf6e59eda60b4407122c86f174eb750b24f610ba9ff4%40%3Ccommits.tomee.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210917-0002/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-30468",
"STATE": "PUBLIC",
"TITLE": "Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache CXF",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache CXF",
"version_value": "3.4.4"
},
{
"version_affected": "\u003c",
"version_name": "Apache CXF",
"version_value": "3.3.11"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://cxf.apache.org/security-advisories.data/CVE-2021-30468.txt.asc",
"refsource": "MISC",
"url": "http://cxf.apache.org/security-advisories.data/CVE-2021-30468.txt.asc"
},
{
"name": "[cxf-users] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459@%3Cusers.cxf.apache.org%3E"
},
{
"name": "[cxf-dev] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459@%3Cdev.cxf.apache.org%3E"
},
{
"name": "[announce] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459@%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/06/16/2"
},
{
"name": "[tomee-commits] 20210705 [jira] [Created] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3f46ae38e4a6e80c069cdb320e0ce831b0a21a12ef0cc92c0943f34a@%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210705 [jira] [Updated] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re5b2a2b77faa22684d47bd2ac6623135c615565328ff40a1ec705448@%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210901 [jira] [Resolved] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rac07822057521dccf33ab5d136e0e8c599a6e2c8ac75e44ffbdc6e07@%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210901 [jira] [Commented] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re9e05c6cab5f0dcc827eba4e6fcf26fa0b493e7ca84d62c867a80d03@%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210913 [jira] [Commented] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra833f78b3fa577cb43558cf343859a1bf70b1c5ce2353b3877d96422@%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210913 [jira] [Updated] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r54c0f1cbbb9f381dfbedb9ea5e90ecb1c0a15371f40c4b10322ac737@%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20210913 [jira] [Reopened] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4771084730c4cf6e59eda60b4407122c86f174eb750b24f610ba9ff4@%3Ccommits.tomee.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210917-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210917-0002/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-30468",
"datePublished": "2021-06-16T12:00:18",
"dateReserved": "2021-04-08T00:00:00",
"dateUpdated": "2024-08-03T22:32:41.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1108 (GCVE-0-2023-1108)
Vulnerability from cvelistv5
Published
2023-09-14 14:48
Modified
2024-08-02 05:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Summary
A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1108",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T18:37:50.625681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T18:38:02.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:32:46.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2023:1184",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:1184"
},
{
"name": "RHSA-2023:1185",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:1185"
},
{
"name": "RHSA-2023:1512",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:1512"
},
{
"name": "RHSA-2023:1513",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:1513"
},
{
"name": "RHSA-2023:1514",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:1514"
},
{
"name": "RHSA-2023:1516",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:1516"
},
{
"name": "RHSA-2023:2135",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:2135"
},
{
"name": "RHSA-2023:3883",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:3883"
},
{
"name": "RHSA-2023:3884",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:3884"
},
{
"name": "RHSA-2023:3885",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:3885"
},
{
"name": "RHSA-2023:3888",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:3888"
},
{
"name": "RHSA-2023:3892",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:3892"
},
{
"name": "RHSA-2023:3954",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
},
{
"name": "RHSA-2023:4612",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4612"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-1108"
},
{
"name": "RHBZ#2174246",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174246"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/advisories/GHSA-m4mm-pg93-fv78"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231020-0002/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/undertow-io/undertow",
"packageName": "io.undertow:undertow-core",
"versions": [
{
"status": "unaffected",
"version": "2.3.5"
},
{
"status": "unaffected",
"version": "2.2.24"
}
]
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
],
"defaultStatus": "unaffected",
"product": "EAP 7.4.10 release",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
],
"defaultStatus": "unaffected",
"packageName": "undertow",
"product": "Red Hat Fuse 7.12",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
],
"defaultStatus": "unaffected",
"packageName": "undertow",
"product": "Red Hat JBoss Enterprise Application Platform 7.1.0",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7",
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.2.22-1.SP3_redhat_00002.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7",
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-wildfly",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:7.4.9-6.GA_redhat_00004.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.2.23-1.SP2_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow-jastow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.0.14-1.Final_redhat_00001.1.el8eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7",
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.2.22-1.SP3_redhat_00002.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7",
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-wildfly",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:7.4.9-6.GA_redhat_00004.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.2.23-1.SP2_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow-jastow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.0.14-1.Final_redhat_00001.1.el9eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7",
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.2.22-1.SP3_redhat_00002.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7",
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
],
"defaultStatus": "affected",
"packageName": "eap7-wildfly",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:7.4.9-6.GA_redhat_00004.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.2.23-1.SP2_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
],
"defaultStatus": "affected",
"packageName": "eap7-undertow-jastow",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.0.14-1.Final_redhat_00001.1.el7eap",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6.4"
],
"defaultStatus": "unaffected",
"packageName": "undertow",
"product": "Red Hat Single Sign-On 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
],
"defaultStatus": "affected",
"packageName": "rh-sso7-keycloak",
"product": "Red Hat Single Sign-On 7.6 for RHEL 7",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:18.0.8-1.redhat_00001.1.el7sso",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
],
"defaultStatus": "affected",
"packageName": "rh-sso7-keycloak",
"product": "Red Hat Single Sign-On 7.6 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:18.0.8-1.redhat_00001.1.el8sso",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
],
"defaultStatus": "affected",
"packageName": "rh-sso7-keycloak",
"product": "Red Hat Single Sign-On 7.6 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:18.0.8-1.redhat_00001.1.el9sso",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_application_runtimes:1.0"
],
"defaultStatus": "unaffected",
"packageName": "undertow",
"product": "Red Hat support for Spring Boot 2.7.13",
"vendor": "Red Hat"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:rhosemc:1.0::el8"
],
"defaultStatus": "affected",
"packageName": "rh-sso-7/sso76-openshift-rhel8",
"product": "RHEL-8 based Middleware Containers",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "7.6-24",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
],
"defaultStatus": "unaffected",
"packageName": "undertow",
"product": "RHPAM 7.13.1 async",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:quarkus:2"
],
"defaultStatus": "unaffected",
"packageName": "io.quarkus/quarkus-undertow",
"product": "Red Hat build of Quarkus",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
],
"defaultStatus": "unaffected",
"packageName": "undertow",
"product": "Red Hat Data Grid 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:integration:1"
],
"defaultStatus": "affected",
"packageName": "undertow",
"product": "Red Hat Integration Camel K",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:camel_quarkus:2"
],
"defaultStatus": "unaffected",
"packageName": "undertow",
"product": "Red Hat Integration Camel Quarkus",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:service_registry:2"
],
"defaultStatus": "affected",
"packageName": "undertow",
"product": "Red Hat Integration Service Registry",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:7"
],
"defaultStatus": "unknown",
"packageName": "undertow",
"product": "Red Hat JBoss Data Grid 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"defaultStatus": "affected",
"packageName": "undertow",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_fuse:6"
],
"defaultStatus": "unknown",
"packageName": "undertow",
"product": "Red Hat JBoss Fuse 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:13"
],
"defaultStatus": "affected",
"packageName": "undertow",
"product": "Red Hat OpenStack Platform 13 (Queens)",
"vendor": "Red Hat"
}
],
"datePublic": "2023-03-07T00:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T15:32:32.904Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2023:1184",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:1184"
},
{
"name": "RHSA-2023:1185",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:1185"
},
{
"name": "RHSA-2023:1512",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:1512"
},
{
"name": "RHSA-2023:1513",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:1513"
},
{
"name": "RHSA-2023:1514",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:1514"
},
{
"name": "RHSA-2023:1516",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:1516"
},
{
"name": "RHSA-2023:2135",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:2135"
},
{
"name": "RHSA-2023:3883",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:3883"
},
{
"name": "RHSA-2023:3884",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:3884"
},
{
"name": "RHSA-2023:3885",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:3885"
},
{
"name": "RHSA-2023:3888",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:3888"
},
{
"name": "RHSA-2023:3892",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:3892"
},
{
"name": "RHSA-2023:3954",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
},
{
"name": "RHSA-2023:4612",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4612"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-1108"
},
{
"name": "RHBZ#2174246",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174246"
},
{
"url": "https://github.com/advisories/GHSA-m4mm-pg93-fv78"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231020-0002/"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-02-07T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-03-07T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Undertow: infinite loop in sslconduit during close",
"x_redhatCweChain": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-1108",
"datePublished": "2023-09-14T14:48:58.869Z",
"dateReserved": "2023-03-01T00:27:23.587Z",
"dateUpdated": "2024-08-02T05:32:46.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…