UBUNTU-CVE-2022-24823

See a problem?

Source

https://ubuntu.com/security/notices/UBUNTU-CVE-2022-24823

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-24823.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2022-24823

Related

CVE-2022-24823

Published

2022-05-06T12:15:00Z

Modified

2022-05-06T12:15:00Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own java.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

References

Affected packages

Ubuntu:Pro:14.04:LTS / netty

Package

Name: netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:3.*

1:3.2.6.Final-2

1:3.2.6.Final-2+deb8u2build0.14.04.1~esm1

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:Pro:16.04:LTS / netty

Package

Name: netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:3.*

1:3.2.6.Final-2

1:4.*

1:4.0.32-1

1:4.0.33-1

1:4.0.34-1

1:4.0.34-1ubuntu0.1~esm1

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:Pro:18.04:LTS / netty

Package

Name: netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.7-4

1:4.1.7-4ubuntu0.1~esm1

1:4.1.7-4ubuntu0.1

1:4.1.7-4ubuntu0.1+esm1

1:4.1.7-4ubuntu0.1+esm2

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:20.04:LTS / netty

Package

Name: netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.33-1

1:4.1.33-2

1:4.1.33-3

1:4.1.45-1

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:22.04:LTS / netty

Package

Name: netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-4

1:4.1.48-4+deb11u1build0.22.04.1

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:24.04:LTS / netty

Package

Name: netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-7

1:4.1.48-8

1:4.1.48-9

Ecosystem specific

{
    "ubuntu_priority": "low"
}