You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The HttpPostRequestDecoder can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.
Vulnerable Library - selenium-java-4.13.0.jar
Path to dependency file: /aggregator/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.96.Final/netty-codec-http-4.1.96.Final.jar
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Vulnerabilities
Unreachable
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-29025
Vulnerable Library - netty-codec-http-4.1.96.Final.jar
Library home page: https://netty.io/
Path to dependency file: /example/app-model/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.96.Final/netty-codec-http-4.1.96.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The
HttpPostRequestDecoder
can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in thebodyListHttpData
list. The decoder cumulates bytes in theundecodedChunk
buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.Publish Date: 2024-03-25
URL: CVE-2024-29025
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-29025
Release Date: 2024-03-25
Fix Resolution (io.netty:netty-codec-http): 4.1.108.Final
Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: