[Apiiro] SCA OSS Vulnerabilities - Critical CVSS score · Critical Risk

[apiiro-staging[bot]]

adsada

Discovered on: Mar 10, 2024 15:57
Dependency: org.jboss.netty:netty
Version: 3.2.2.Final
Type: Sub dependency
Introduced through:

• org.apache.storm:storm-core: 0.9.2-incubating > org.apache.curator:curator-framework: 2.4.0 > org.apache.zookeeper:zookeeper: 3.4.5 > org.jboss.netty:netty: 3.2.2.Final

Vulnerabilities

• Information Exposure in Netty with CVSS score 7.5. fixed version: 3.9.8.Final
• SnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way with CVSS score 7.5. fixed version: 4.0.0
• Possible request smuggling in HTTP/2 due missing validation with CVSS score 5.900000095367432. fixed version: 4.0.0
• HTTP Request Smuggling in Netty with CVSS score 9.100000381469727. fixed version: 4.0.0
• Local Information Disclosure Vulnerability in Netty on Unix-Like systems with CVSS score 6.199999809265137. fixed version: 4.0.0
• HTTP request smuggling in netty with CVSS score 6.5. fixed version: 4.0.0
• Possible request smuggling in HTTP/2 due missing validation of content-length with CVSS score 5.900000095367432. fixed version: 4.0.0
• HTTP Request Smuggling in Netty with CVSS score . fixed version: 4.0.0
• Bzip2Decoder doesn't allow setting size restrictions for decompressed data with CVSS score 7.5. fixed version: 4.0.0
• HTTP Request Smuggling in Netty with CVSS score 7.5. fixed version: 4.0.0

About this package:

External dependency: org.jboss.netty:netty - http://www.jboss.org/netty/
Package details:
The Netty project is an effort to provide an asynchronous event-driven
network application framework and tools for rapid development of
maintainable high performance and high scalability protocol servers and
clients. In other words, Netty is a NIO client server framework which
enables quick and easy development of network applications such as protocol
servers and clients. It greatly simplifies and streamlines network
programming such as TCP and UDP socket server.

Latest version: 3.2.10.Final
License: Apache-2.0
Insights:

• Frequent commits - New code commits are frequently being pushed
• Historical CVEs - This package had at least two critical or high CVEs in two consecutive years
• Has vulnerabilities - One or more vulnerabilities have been reported for this package

Remediation

Upgrade the top level dependencies (Declared in: reindexing/enrichment-bolt/pom.xml) to change org.jboss.netty:netty 3.2.2.Final to the minimum required version org.jboss.netty:netty 4.0.0:

org.jboss.netty:netty: 3.2.2.Final -> 4.0.0
View in Apiiro