Netty Dependencies identified with a CVSS score of 9.1 during org.owasp:dependency-check

[runnermann]

While attempting to upgrade to vertx 4.0.0-milestone4, our project failed during compile time: The org.owasp dependency-check-maven reported that the netty dependency had a CVSS score was 9.1. The report provided the following:

Dependencies: netty-transport-4.1.42.Final.jar

CVE-2019-20444

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv2:

Base Score: MEDIUM (6.4)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSSv3:

Base Score: CRITICAL (9.1)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

[pmlopes]

@runnermann the latest beta is 4.0.0.Beta3 please try that instead as that milestone was releases more than 9m ago and it was just a showcase of the 4.0.0 branch at that time.

[runnermann]

Yes! Thanks that solves the issue. No reported CVS. :)

On Oct 21, 2020, at 2:34 AM, Julien Viet notifications@github.com wrote:

Closed #560 https://github.com/vert-x3/issues/issues/560.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/vert-x3/issues/issues/560#event-3902868139, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGC7W75ITOLDEH6QJHRUC7TSL2TI7ANCNFSM4SZGAXKA.