GHSA-grg4-wf29-r9vv

Source

https://github.com/advisories/GHSA-grg4-wf29-r9vv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-grg4-wf29-r9vv

Aliases

CVE-2021-37136

Published

2021-09-09T17:11:21Z

Modified

2024-03-11T05:19:43.929590Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Bzip2Decoder doesn't allow setting size restrictions for decompressed data

Details

Impact

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression).

All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Workarounds

No workarounds other than not using the Bzip2Decoder

References

Relevant code areas:

https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80 https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294 https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305

References

Affected packages

Maven / io.netty:netty-codec

Package

Name: io.netty:netty-codec; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty-codec

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.68.Final

Affected versions

4.*

4.0.0.Alpha1

4.0.0.Alpha2

4.0.0.Alpha3

4.0.0.Alpha4

4.0.0.Alpha5

4.0.0.Alpha6

4.0.0.Alpha7

4.0.0.Alpha8

4.0.0.Beta1

4.0.0.Beta2

4.0.0.Beta3

4.0.0.CR1

4.0.0.CR2

4.0.0.CR3

4.0.0.CR4

4.0.0.CR5

4.0.0.CR6

4.0.0.CR7

4.0.0.CR8

4.0.0.CR9

4.0.0.Final

4.0.1.Final

4.0.2.Final

4.0.3.Final

4.0.4.Final

4.0.5.Final

4.0.6.Final

4.0.7.Final

4.0.8.Final

4.0.9.Final

4.0.10.Final

4.0.11.Final

4.0.12.Final

4.0.13.Final

4.0.14.Beta1

4.0.14.Final

4.0.15.Final

4.0.16.Final

4.0.17.Final

4.0.18.Final

4.0.19.Final

4.0.20.Final

4.0.21.Final

4.0.22.Final

4.0.23.Final

4.0.24.Final

4.0.25.Final

4.0.26.Final

4.0.27.Final

4.0.28.Final

4.0.29.Final

4.0.30.Final

4.0.31.Final

4.0.32.Final

4.0.33.Final

4.0.34.Final

4.0.35.Final

4.0.36.Final

4.0.37.Final

4.0.38.Final

4.0.39.Final

4.0.40.Final

4.0.41.Final

4.0.42.Final

4.0.43.Final

4.0.44.Final

4.0.45.Final

4.0.46.Final

4.0.47.Final

4.0.48.Final

4.0.49.Final

4.0.50.Final

4.0.51.Final

4.0.52.Final

4.0.53.Final

4.0.54.Final

4.0.55.Final

4.0.56.Final

4.1.0.Beta1

4.1.0.Beta2

4.1.0.Beta3

4.1.0.Beta4

4.1.0.Beta5

4.1.0.Beta6

4.1.0.Beta7

4.1.0.Beta8

4.1.0.CR1

4.1.0.CR2

4.1.0.CR3

4.1.0.CR4

4.1.0.CR5

4.1.0.CR6

4.1.0.CR7

4.1.0.Final

4.1.1.Final

4.1.2.Final

4.1.3.Final

4.1.4.Final

4.1.5.Final

4.1.6.Final

4.1.7.Final

4.1.8.Final

4.1.9.Final

4.1.10.Final

4.1.11.Final

4.1.12.Final

4.1.13.Final

4.1.14.Final

4.1.15.Final

4.1.16.Final

4.1.17.Final

4.1.18.Final

4.1.19.Final

4.1.20.Final

4.1.21.Final

4.1.22.Final

4.1.23.Final

4.1.24.Final

4.1.25.Final

4.1.26.Final

4.1.27.Final

4.1.28.Final

4.1.29.Final

4.1.30.Final

4.1.31.Final

4.1.32.Final

4.1.33.Final

4.1.34.Final

4.1.35.Final

4.1.36.Final

4.1.37.Final

4.1.38.Final

4.1.39.Final

4.1.40.Final

4.1.41.Final

4.1.42.Final

4.1.43.Final

4.1.44.Final

4.1.45.Final

4.1.46.Final

4.1.47.Final

4.1.48.Final

4.1.49.Final

4.1.50.Final

4.1.51.Final

4.1.52.Final

4.1.53.Final

4.1.54.Final

4.1.55.Final

4.1.56.Final

4.1.57.Final

4.1.58.Final

4.1.59.Final

4.1.60.Final

4.1.61.Final

4.1.62.Final

4.1.63.Final

4.1.64.Final

4.1.65.Final

4.1.66.Final

4.1.67.Final

Maven / org.jboss.netty:netty

Package

Name: org.jboss.netty:netty; View open source insights on deps.dev
Purl: pkg:maven/org.jboss.netty/netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.0.CR1

3.0.0.CR2

3.0.0.CR3

3.0.0.CR4

3.0.0.CR5

3.0.0.GA

3.0.1.GA

3.0.2.GA

3.1.0.ALPHA1

3.1.0.ALPHA2

3.1.0.ALPHA3

3.1.0.ALPHA4

3.1.0.BETA1

3.1.0.BETA2

3.1.0.BETA3

3.1.0.CR1

3.1.0.GA

3.1.1.GA

3.1.2.GA

3.1.3.GA

3.1.4.GA

3.1.5.GA

3.2.0.ALPHA1

3.2.0.ALPHA2

3.2.0.ALPHA3

3.2.0.ALPHA4

3.2.0.BETA1

3.2.0.CR1

3.2.0.Final

3.2.1.Final

3.2.2.Final

3.2.3.Final

3.2.4.Final

3.2.5.Final

3.2.6.Final

3.2.7.Final

3.2.8.Final

3.2.9.Final

3.2.10.Final

Database specific

{
    "last_known_affected_version_range": "< 4.0.0"
}

Maven / io.netty:netty

Package

Name: io.netty:netty; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.3.0.Final

3.3.1.Final

3.4.0.Alpha1

3.4.0.Alpha2

3.4.0.Beta1

3.4.0.Final

3.4.1.Final

3.4.2.Final

3.4.3.Final

3.4.4.Final

3.4.5.Final

3.4.6.Final

3.5.0.Beta1

3.5.0.Final

3.5.1.Final

3.5.2.Final

3.5.3.Final

3.5.4.Final

3.5.5.Final

3.5.6.Final

3.5.7.Final

3.5.8.Final

3.5.9.Final

3.5.10.Final

3.5.11.Final

3.5.12.Final

3.5.13.Final

3.6.0.Beta1

3.6.0.Final

3.6.1.Final

3.6.2.Final

3.6.3.Final

3.6.4.Final

3.6.5.Final

3.6.6.Final

3.6.7.Final

3.6.8.Final

3.6.9.Final

3.6.10.Final

3.7.0.Final

3.7.1.Final

3.8.0.Final

3.8.1.Final

3.8.2.Final

3.8.3.Final

3.9.0.Final

3.9.1.Final

3.9.1.1.Final

3.9.2.Final

3.9.3.Final

3.9.4.Final

3.9.5.Final

3.9.6.Final

3.9.7.Final

3.9.8.Final

3.9.9.Final

3.10.0.Final

3.10.1.Final

3.10.2.Final

3.10.3.Final

3.10.4.Final

3.10.5.Final

3.10.6.Final

4.*

4.0.0.Alpha1

4.0.0.Alpha2

4.0.0.Alpha3

4.0.0.Alpha4

4.0.0.Alpha5

4.0.0.Alpha6

4.0.0.Alpha7

4.0.0.Alpha8

Database specific

{
    "last_known_affected_version_range": "< 4.0.0"
}