UBUNTU-CVE-2022-24823

Source
https://ubuntu.com/security/CVE-2022-24823
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-24823.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2022-24823
Related
Published
2022-05-06T12:15:00Z
Modified
2024-12-18T16:39:56Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own java.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

References

Affected packages

Ubuntu:Pro:14.04:LTS / netty

Package

Name
netty
Purl
pkg:deb/ubuntu/netty?arch=src?distro=esm-infra-legacy/trusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:3.*

1:3.2.6.Final-2
1:3.2.6.Final-2+deb8u2build0.14.04.1~esm1

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:Pro:16.04:LTS / netty

Package

Name
netty
Purl
pkg:deb/ubuntu/netty?arch=src?distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:3.*

1:3.2.6.Final-2

1:4.*

1:4.0.32-1
1:4.0.33-1
1:4.0.34-1
1:4.0.34-1ubuntu0.1~esm1

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:Pro:18.04:LTS / netty

Package

Name
netty
Purl
pkg:deb/ubuntu/netty?arch=src?distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.7-4
1:4.1.7-4ubuntu0.1~esm1
1:4.1.7-4ubuntu0.1
1:4.1.7-4ubuntu0.1+esm1
1:4.1.7-4ubuntu0.1+esm2

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:20.04:LTS / netty

Package

Name
netty
Purl
pkg:deb/ubuntu/netty?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.33-1
1:4.1.33-2
1:4.1.33-3
1:4.1.45-1

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:22.04:LTS / netty

Package

Name
netty
Purl
pkg:deb/ubuntu/netty?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-4
1:4.1.48-4+deb11u1build0.22.04.1
1:4.1.48-4+deb11u2build0.22.04.1

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:24.10 / netty

Package

Name
netty
Purl
pkg:deb/ubuntu/netty?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-9
1:4.1.48-10

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:24.04:LTS / netty

Package

Name
netty
Purl
pkg:deb/ubuntu/netty?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-7
1:4.1.48-8
1:4.1.48-9

Ecosystem specific

{
    "ubuntu_priority": "low"
}