search

amaybaum-local / remediate-test6

0 stars 1 forks source link

CVE-2020-11612 (High, reachable) detected in netty-codec-4.1.13.Final.jar - autoclosed #42

Closed mend-local-app[bot] closed 6 months ago

mend-local-app[bot] commented 6 months ago

CVE-2020-11612 - High Severity Vulnerability

Vulnerable Library - netty-codec-4.1.13.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /Users/alexmaybaum/.m2/repository/io/netty/netty-codec/4.1.13.Final/netty-codec-4.1.13.Final.jar

Dependency Hierarchy: - transport-5.6.4.jar (Root Library) - transport-netty4-client-5.6.4.jar - :x: **netty-codec-4.1.13.Final.jar** (Vulnerable Library)

Found in HEAD commit: 9c6901108cf0138889fa46846fabfcb78828d070

Found in base branch: vp-rem

Reachability Analysis(Reachable)

This vulnerability is potentially used ``` com.visualpathit.account.utils.ElasticsearchUtil (Application) -> org.elasticsearch.transport.client.PreBuiltTransportClient (Extension) -> org.elasticsearch.transport.Netty4Plugin (Extension) -> org.elasticsearch.http.netty4.Netty4HttpServerTransport (Extension) ... -> io.netty.handler.codec.http.HttpContentCompressor (Extension) -> io.netty.handler.codec.compression.ZlibCodecFactory (Extension) -> ❌ io.netty.handler.codec.compression.JZlibDecoder (Vulnerable Component) ```

Vulnerability Details

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

Publish Date: 2020-04-07

URL: CVE-2020-11612

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://netty.io/news/2020/02/28/4-1-46-Final.html

Release Date: 2020-04-07

Fix Resolution: io.netty:netty-codec:4.1.46.Final;io.netty:netty-all:4.1.46.Final

mend-local-app[bot] commented 6 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.