grpc-netty-1.70.0.jar: 2 vulnerabilities (highest severity is: 7.5) #3527
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /laokou-sample/laokou-sample-seata/laokou-sample-seata-server/pom.xml
Path to vulnerable library: /laokou-common/laokou-common-log/pom.xml,/laokou-service/laokou-auth/laokou-auth-start/pom.xml,/laokou-service/laokou-generator/laokou-generator-infrastructure/pom.xml,/laokou-sample/laokou-sample-websocket/pom.xml,/laokou-common/laokou-common-lock/pom.xml,/laokou-cloud/laokou-gateway/pom.xml,/laokou-cloud/laokou-snail-job/pom.xml,/laokou-cola/laokou-cola-app/pom.xml,/laokou-common/laokou-common-rate-limiter/pom.xml,/laokou-service/laokou-iot/laokou-iot-app/pom.xml,/laokou-common/laokou-common-redis/pom.xml,/laokou-common/laokou-common-domain/pom.xml,/laokou-service/laokou-admin/laokou-admin-app/pom.xml,/laokou-common/laokou-common-netty/pom.xml,/laokou-sample/laokou-sample-tcp/pom.xml,/laokou-service/laokou-auth/laokou-auth-adapter/pom.xml,/laokou-service/laokou-iot/laokou-iot-infrastructure/pom.xml,/laokou-service/laokou-generator/laokou-generator-adapter/pom.xml,/laokou-service/laokou-iot/laokou-iot-adapter/pom.xml,/laokou-service/laokou-admin/laokou-admin-adapter/pom.xml,/laokou-common/laokou-common-idempotent/pom.xml,/laokou-common/laokou-common-sentinel/pom.xml,/laokou-common/laokou-common-rocketmq/pom.xml,/laokou-common/laokou-common-data-cache/pom.xml,/laokou-common/laokou-common-mqtt/pom.xml,/laokou-service/laokou-admin/laokou-admin-infrastructure/pom.xml,/laokou-common/laokou-common-security/pom.xml,/laokou-service/laokou-iot/laokou-iot-start/pom.xml,/laokou-cola/laokou-cola-adapter/pom.xml,/laokou-service/laokou-generator/laokou-generator-app/pom.xml,/laokou-common/laokou-common-snail-job/pom.xml,/laokou-cloud/laokou-monitor/pom.xml,/laokou-service/laokou-admin/laokou-admin-start/pom.xml,/laokou-cola/laokou-cola-infrastructure/pom.xml,/laokou-service/laokou-auth/laokou-auth-infrastructure/pom.xml,/laokou-cola/laokou-cola-start/pom.xml,/laokou-service/laokou-generator/laokou-generator-start/pom.xml,/laokou-common/laokou-common-openfeign/pom.xml,/laokou-service/laokou-auth/laokou-auth-app/pom.xml
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - netty-handler-4.1.117.Final.jar
Library home page: https://netty.io/
Path to dependency file: /laokou-common/laokou-common-data-cache/pom.xml
Path to vulnerable library: /laokou-common/laokou-common-data-cache/pom.xml,/laokou-common/laokou-common-openfeign/pom.xml,/laokou-cloud/laokou-monitor/pom.xml,/laokou-cola/laokou-cola-infrastructure/pom.xml,/laokou-service/laokou-admin/laokou-admin-app/pom.xml,/laokou-common/laokou-common-domain/pom.xml,/laokou-service/laokou-admin/laokou-admin-adapter/pom.xml,/laokou-common/laokou-common-idempotent/pom.xml,/laokou-service/laokou-generator/laokou-generator-start/pom.xml,/laokou-service/laokou-iot/laokou-iot-adapter/pom.xml,/laokou-common/laokou-common-security/pom.xml,/laokou-service/laokou-generator/laokou-generator-adapter/pom.xml,/laokou-common/laokou-common-sentinel/pom.xml,/laokou-common/laokou-common-mqtt/pom.xml,/laokou-common/laokou-common-rocketmq/pom.xml,/laokou-common/laokou-common-rate-limiter/pom.xml,/laokou-sample/laokou-sample-websocket/pom.xml,/laokou-sample/laokou-sample-tcp/pom.xml,/laokou-service/laokou-admin/laokou-admin-infrastructure/pom.xml,/laokou-common/laokou-common-redis/pom.xml,/laokou-common/laokou-common-netty/pom.xml,/laokou-service/laokou-generator/laokou-generator-app/pom.xml,/laokou-service/laokou-iot/laokou-iot-infrastructure/pom.xml,/laokou-cola/laokou-cola-app/pom.xml,/laokou-service/laokou-admin/laokou-admin-start/pom.xml,/laokou-common/laokou-common-snail-job/pom.xml,/laokou-service/laokou-iot/laokou-iot-start/pom.xml,/laokou-common/laokou-common-lock/pom.xml,/laokou-service/laokou-auth/laokou-auth-adapter/pom.xml,/laokou-service/laokou-auth/laokou-auth-infrastructure/pom.xml,/laokou-service/laokou-auth/laokou-auth-app/pom.xml,/laokou-cola/laokou-cola-start/pom.xml,/laokou-service/laokou-auth/laokou-auth-start/pom.xml,/laokou-cloud/laokou-gateway/pom.xml,/laokou-cola/laokou-cola-adapter/pom.xml,/laokou-service/laokou-generator/laokou-generator-infrastructure/pom.xml,/laokou-common/laokou-common-log/pom.xml,/laokou-cloud/laokou-snail-job/pom.xml,/laokou-service/laokou-iot/laokou-iot-app/pom.xml
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
Publish Date: 2025-02-10
URL: CVE-2025-24970
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4g8c-wm8x-jfhw
Release Date: 2025-02-10
Fix Resolution: io.netty:netty-handler:4.1.118.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-common-4.1.117.Final.jar
Library home page: https://netty.io/
Path to dependency file: /laokou-common/laokou-common-log/pom.xml
Path to vulnerable library: /laokou-common/laokou-common-log/pom.xml,/laokou-service/laokou-auth/laokou-auth-start/pom.xml,/laokou-service/laokou-generator/laokou-generator-infrastructure/pom.xml,/laokou-sample/laokou-sample-websocket/pom.xml,/laokou-common/laokou-common-lock/pom.xml,/laokou-cloud/laokou-gateway/pom.xml,/laokou-cloud/laokou-snail-job/pom.xml,/laokou-cola/laokou-cola-app/pom.xml,/laokou-common/laokou-common-rate-limiter/pom.xml,/laokou-service/laokou-iot/laokou-iot-app/pom.xml,/laokou-common/laokou-common-redis/pom.xml,/laokou-common/laokou-common-domain/pom.xml,/laokou-service/laokou-admin/laokou-admin-app/pom.xml,/laokou-common/laokou-common-netty/pom.xml,/laokou-sample/laokou-sample-tcp/pom.xml,/laokou-service/laokou-auth/laokou-auth-adapter/pom.xml,/laokou-service/laokou-iot/laokou-iot-infrastructure/pom.xml,/laokou-service/laokou-generator/laokou-generator-adapter/pom.xml,/laokou-service/laokou-iot/laokou-iot-adapter/pom.xml,/laokou-service/laokou-admin/laokou-admin-adapter/pom.xml,/laokou-common/laokou-common-idempotent/pom.xml,/laokou-common/laokou-common-sentinel/pom.xml,/laokou-common/laokou-common-rocketmq/pom.xml,/laokou-common/laokou-common-data-cache/pom.xml,/laokou-common/laokou-common-mqtt/pom.xml,/laokou-service/laokou-admin/laokou-admin-infrastructure/pom.xml,/laokou-common/laokou-common-security/pom.xml,/laokou-service/laokou-iot/laokou-iot-start/pom.xml,/laokou-cola/laokou-cola-adapter/pom.xml,/laokou-service/laokou-generator/laokou-generator-app/pom.xml,/laokou-common/laokou-common-snail-job/pom.xml,/laokou-cloud/laokou-monitor/pom.xml,/laokou-service/laokou-admin/laokou-admin-start/pom.xml,/laokou-cola/laokou-cola-infrastructure/pom.xml,/laokou-service/laokou-auth/laokou-auth-infrastructure/pom.xml,/laokou-cola/laokou-cola-start/pom.xml,/laokou-service/laokou-generator/laokou-generator-start/pom.xml,/laokou-common/laokou-common-openfeign/pom.xml,/laokou-service/laokou-auth/laokou-auth-app/pom.xml
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Publish Date: 2025-02-10
URL: CVE-2025-25193
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-389x-839f-4rhx
Release Date: 2025-02-10
Fix Resolution: io.netty:netty-common:4.1.118.Final
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: