GHSA-4g8c-wm8x-jfhw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4g8c-wm8x-jfhw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-4g8c-wm8x-jfhw/GHSA-4g8c-wm8x-jfhw.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-4g8c-wm8x-jfhw
- Aliases
- Related
- Published
- 2025-02-10T17:38:10Z
- Modified
- 2025-02-21T21:12:53.657548Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine
- Details
-
Impact
When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash.
Workarounds
As workaround its possible to either disable the usage of the native SSLEngine or changing the code from:
SslContext context = ...; SslHandler handler = context.newHandler(....);to:
SslContext context = ...; SSLEngine engine = context.newEngine(....); SslHandler handler = new SslHandler(engine, ....); - Database specific
{ "nvd_published_at": "2025-02-10T22:15:38Z", "cwe_ids": [ "CWE-20" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-02-10T17:38:10Z" }- References
Affected packages
Maven / io.netty:netty-handler
Package
- Name
- io.netty:netty-handler
- View open source insights on deps.dev
- Purl
- pkg:maven/io.netty/netty-handler
Affected versions
4.*
4.1.91.Final
4.1.92.Final
4.1.93.Final
4.1.94.Final
4.1.95.Final
4.1.96.Final
4.1.97.Final
4.1.98.Final
4.1.99.Final
4.1.100.Final
4.1.101.Final
4.1.102.Final
4.1.103.Final
4.1.104.Final
4.1.105.Final
4.1.106.Final
4.1.107.Final
4.1.108.Final
4.1.109.Final
4.1.110.Final
4.1.111.Final
4.1.112.Final
4.1.113.Final
4.1.114.Final
4.1.115.Final
4.1.116.Final
4.1.117.Final