grpc-netty-1.60.0.jar: 1 vulnerabilities (highest severity is: 5.3) - autoclosed #181
Labels
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
|
ℹ️ This issue was automatically closed by Mend because it is a duplicate of an existing issue: #182 |
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /src/frauddetectionservice/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.100.Final/992623e7d8f2d96e41faf1687bb963f5433e3517/netty-codec-http-4.1.100.Final.jar
Found in HEAD commit: de73c8b6e42eb87e8f3abc02dbfb4a71a6d2f028
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - netty-codec-http-4.1.100.Final.jar
Library home page: https://netty.io/
Path to dependency file: /src/frauddetectionservice/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.100.Final/992623e7d8f2d96e41faf1687bb963f5433e3517/netty-codec-http-4.1.100.Final.jar
Dependency Hierarchy:
Found in HEAD commit: de73c8b6e42eb87e8f3abc02dbfb4a71a6d2f028
Found in base branch: main
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The
HttpPostRequestDecodercan be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in thebodyListHttpDatalist. The decoder cumulates bytes in theundecodedChunkbuffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.Publish Date: 2024-03-25
URL: CVE-2024-29025
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-29025
Release Date: 2024-03-25
Fix Resolution (io.netty:netty-codec-http): 4.1.108.Final
Direct dependency fix Resolution (io.grpc:grpc-netty): 1.67.1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: