Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Path to dependency file: /spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-data-r2dbc-liquibase/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.50.Final/cb3b530644b17d60984ffd018878e8ff389c384c/netty-codec-http2-4.1.50.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.50.Final/cb3b530644b17d60984ffd018878e8ff389c384c/netty-codec-http2-4.1.50.Final.jar
Path to dependency file: /spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/build.gradle
Path to vulnerable library: /canner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.36/cf6574dd9c4764e60c548b69da52fc07a5a0a9bd/tomcat-embed-core-9.0.36.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.36/cf6574dd9c4764e60c548b69da52fc07a5a0a9bd/tomcat-embed-core-9.0.36.jar,/canner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.36/cf6574dd9c4764e60c548b69da52fc07a5a0a9bd/tomcat-embed-core-9.0.36.jar
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-44487 - High Severity Vulnerability
Vulnerable Libraries - netty-codec-http2-4.1.50.Final.jar, tomcat-embed-core-9.0.36.jar
netty-codec-http2-4.1.50.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-data-r2dbc-liquibase/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.50.Final/cb3b530644b17d60984ffd018878e8ff389c384c/netty-codec-http2-4.1.50.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.50.Final/cb3b530644b17d60984ffd018878e8ff389c384c/netty-codec-http2-4.1.50.Final.jar
Dependency Hierarchy: - netty-bom-4.1.50.Final (Root Library) - :x: **netty-codec-http2-4.1.50.Final.jar** (Vulnerable Library)
tomcat-embed-core-9.0.36.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/build.gradle
Path to vulnerable library: /canner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.36/cf6574dd9c4764e60c548b69da52fc07a5a0a9bd/tomcat-embed-core-9.0.36.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.36/cf6574dd9c4764e60c548b69da52fc07a5a0a9bd/tomcat-embed-core-9.0.36.jar,/canner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.36/cf6574dd9c4764e60c548b69da52fc07a5a0a9bd/tomcat-embed-core-9.0.36.jar
Dependency Hierarchy: - :x: **tomcat-embed-core-9.0.36.jar** (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution: 4.1.100.Final
Step up your Open Source Security Game with Mend here