GHSA-q4h9-7rxj-7gx2

Suggest an improvement
Source
https://github.com/advisories/GHSA-q4h9-7rxj-7gx2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-q4h9-7rxj-7gx2/GHSA-q4h9-7rxj-7gx2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-q4h9-7rxj-7gx2
Published
2024-12-02T20:03:03Z
Modified
2024-12-02T20:23:15.467729Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Netty vulnerability included in redis lettuce
Details

Summary

Note: i'm reporting this in this way purely because it's private and i don't want to broadcast vulnerabilities.

An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

Details

https://github.com/redis/lettuce/blob/main/pom.xml#L67C9-L67C53 The netty version pinned here is currently

<netty.version>4.1.113.Final</netty.version>

This version is vulnerable according to Snyk and is affecting one of our products: image

Here is a link to the CVE

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability. Not applicable

Impact

What kind of vulnerability is it? Who is impacted? Denial of Service, affecting Windows users.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T20:03:03Z"
}
References

Affected packages

Maven / io.lettuce:lettuce-core

Package

Name
io.lettuce:lettuce-core
View open source insights on deps.dev
Purl
pkg:maven/io.lettuce/lettuce-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.5.1.RELEASE

Affected versions

5.*

5.0.0.M2
5.0.0.RC1
5.0.0.RC2
5.0.0.RELEASE
5.0.1.RELEASE
5.0.2.RELEASE
5.0.3.RELEASE
5.0.4.RELEASE
5.0.5.RELEASE
5.1.0.M1
5.1.0.RC1
5.1.0.RELEASE
5.1.1.RELEASE
5.1.2.RELEASE
5.1.3.RELEASE
5.1.4.RELEASE
5.1.5.RELEASE
5.1.6.RELEASE
5.1.7.RELEASE
5.1.8.RELEASE
5.2.0.RELEASE
5.2.1.RELEASE
5.2.2.RELEASE
5.3.0.RELEASE
5.3.1.RELEASE
5.3.2.RELEASE
5.3.3.RELEASE
5.3.4.RELEASE
5.3.5.RELEASE
5.3.6.RELEASE
5.3.7.RELEASE

6.*

6.0.0.M1
6.0.0.RC1
6.0.0.RC2
6.0.0.RELEASE
6.0.1.RELEASE
6.0.2.RELEASE
6.0.3.RELEASE
6.0.4.RELEASE
6.0.5.RELEASE
6.0.6.RELEASE
6.0.7.RELEASE
6.0.8.RELEASE
6.0.9.RELEASE
6.1.0.M1
6.1.0.RC1
6.1.0.RELEASE
6.1.1.RELEASE
6.1.2.RELEASE
6.1.3.RELEASE
6.1.4.RELEASE
6.1.5.RELEASE
6.1.6.RELEASE
6.1.7.RELEASE
6.1.8.RELEASE
6.1.9.RELEASE
6.1.10.RELEASE
6.2.0.RELEASE
6.2.1.RELEASE
6.2.2.RELEASE
6.2.3.RELEASE
6.2.4.RELEASE
6.2.5.RELEASE
6.2.6.RELEASE
6.2.7.RELEASE
6.3.0.RELEASE
6.3.1.RELEASE
6.3.2.RELEASE
6.4.0.M1
6.4.0.RELEASE
6.4.1.RELEASE
6.5.0.RC1
6.5.0.RC2
6.5.0.RELEASE