Yet Another Java Service Wrapper / Patches / #31 Netty 4.1.104 Final

#31 Netty 4.1.104 Final - vulnerability

Milestone: Any

Status: closed-fixed

Owner: rzo

Labels: None

Priority: 5

Updated: 2024-11-15

Created: 2024-06-25

Creator: Ravi Raj

Private: No

Issue Detected: CVE-2024-29025
Blackduck scan: BDSA-2024-0720

The HttpPostRequestDecoder can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, this field can cumulate data without limits.

Discussion

rzo - 2024-07-02

status: open --> open-accepted
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

rzo - 2024-11-15

status: open-accepted --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

rzo - 2024-11-15

13.13

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Netty 4.1.104 Final - vulnerability

Install java, groovy and native applications as services or daemons

Group

Searches

Help

#31 Netty 4.1.104 Final - vulnerability

Discussion