GHSA-q4h9-7rxj-7gx2

Source

https://github.com/advisories/GHSA-q4h9-7rxj-7gx2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-q4h9-7rxj-7gx2/GHSA-q4h9-7rxj-7gx2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q4h9-7rxj-7gx2

Published

2024-12-02T20:03:03Z

Modified

2024-12-02T20:23:49.367539Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Netty vulnerability included in redis lettuce

Details

Summary

Note: i'm reporting this in this way purely because it's private and i don't want to broadcast vulnerabilities.

An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

Details

https://github.com/redis/lettuce/blob/main/pom.xml#L67C9-L67C53 The netty version pinned here is currently

<netty.version>4.1.113.Final</netty.version>

This version is vulnerable according to Snyk and is affecting one of our products:

Here is a link to the CVE

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability. Not applicable

Impact

What kind of vulnerability is it? Who is impacted? Denial of Service, affecting Windows users.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T20:03:03Z"
}

References

Affected packages

Maven / io.lettuce:lettuce-core

Package

Name: io.lettuce:lettuce-core; View open source insights on deps.dev
Purl: pkg:maven/io.lettuce/lettuce-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.1.RELEASE

Affected versions

5.*

5.0.0.M2

5.0.0.RC1

5.0.0.RC2

5.0.0.RELEASE

5.0.1.RELEASE

5.0.2.RELEASE

5.0.3.RELEASE

5.0.4.RELEASE

5.0.5.RELEASE

5.1.0.M1

5.1.0.RC1

5.1.0.RELEASE

5.1.1.RELEASE

5.1.2.RELEASE

5.1.3.RELEASE

5.1.4.RELEASE

5.1.5.RELEASE

5.1.6.RELEASE

5.1.7.RELEASE

5.1.8.RELEASE

5.2.0.RELEASE

5.2.1.RELEASE

5.2.2.RELEASE

5.3.0.RELEASE

5.3.1.RELEASE

5.3.2.RELEASE

5.3.3.RELEASE

5.3.4.RELEASE

5.3.5.RELEASE

5.3.6.RELEASE

5.3.7.RELEASE

6.*

6.0.0.M1

6.0.0.RC1

6.0.0.RC2

6.0.0.RELEASE

6.0.1.RELEASE

6.0.2.RELEASE

6.0.3.RELEASE

6.0.4.RELEASE

6.0.5.RELEASE

6.0.6.RELEASE

6.0.7.RELEASE

6.0.8.RELEASE

6.0.9.RELEASE

6.1.0.M1

6.1.0.RC1

6.1.0.RELEASE

6.1.1.RELEASE

6.1.2.RELEASE

6.1.3.RELEASE

6.1.4.RELEASE

6.1.5.RELEASE

6.1.6.RELEASE

6.1.7.RELEASE

6.1.8.RELEASE

6.1.9.RELEASE

6.1.10.RELEASE

6.2.0.RELEASE

6.2.1.RELEASE

6.2.2.RELEASE

6.2.3.RELEASE

6.2.4.RELEASE

6.2.5.RELEASE

6.2.6.RELEASE

6.2.7.RELEASE

6.3.0.RELEASE

6.3.1.RELEASE

6.3.2.RELEASE

6.4.0.M1

6.4.0.RELEASE

6.4.1.RELEASE

6.5.0.RC1

6.5.0.RC2

6.5.0.RELEASE