GHSA-mm9x-g8pc-w292

Source

https://github.com/advisories/GHSA-mm9x-g8pc-w292

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mm9x-g8pc-w292/GHSA-mm9x-g8pc-w292.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mm9x-g8pc-w292

Aliases

CVE-2020-11612

Published

2020-06-15T19:36:16Z

Modified

2024-03-14T05:18:47.685399Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Denial of Service in Netty

Details

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

Database specific

{
    "nvd_published_at": "2020-04-07T18:15:00Z",
    "cwe_ids": [
        "CWE-119",
        "CWE-400",
        "CWE-770"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-11T19:58:52Z"
}

References

Affected packages

Maven / io.netty:netty-handler

Package

Name: io.netty:netty-handler; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty-handler

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1.0

Fixed

4.1.46

Affected versions

4.*

4.1.0.Final

4.1.1.Final

4.1.2.Final

4.1.3.Final

4.1.4.Final

4.1.5.Final

4.1.6.Final

4.1.7.Final

4.1.8.Final

4.1.9.Final

4.1.10.Final

4.1.11.Final

4.1.12.Final

4.1.13.Final

4.1.14.Final

4.1.15.Final

4.1.16.Final

4.1.17.Final

4.1.18.Final

4.1.19.Final

4.1.20.Final

4.1.21.Final

4.1.22.Final

4.1.23.Final

4.1.24.Final

4.1.25.Final

4.1.26.Final

4.1.27.Final

4.1.28.Final

4.1.29.Final

4.1.30.Final

4.1.31.Final

4.1.32.Final

4.1.33.Final

4.1.34.Final

4.1.35.Final

4.1.36.Final

4.1.37.Final

4.1.38.Final

4.1.39.Final

4.1.40.Final

4.1.41.Final

4.1.42.Final

4.1.43.Final

4.1.44.Final

4.1.45.Final