{ "matches": [ { "vulnerability": { "id": "GHSA-36p3-wjmg-h94x", "dataSource": "https://github.com/advisories/GHSA-36p3-wjmg-h94x", "namespace": "github:language:java", "severity": "Critical", "urls": [ "https://github.com/advisories/GHSA-36p3-wjmg-h94x" ], "description": "Remote Code Execution in Spring Framework", "cvss": [], "fix": { "versions": [ "2.5.12" ], "state": "fixed" }, "advisories": [] }, "relatedVulnerabilities": [ { "id": "CVE-2022-22965", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-22965", "namespace": "nvd:cpe", "severity": "Critical", "urls": [ "https://tanzu.vmware.com/security/cve-2022-22965", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67", "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005", "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html", "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf", "https://www.oracle.com/security-alerts/cpuapr2022.html", "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html", "https://www.oracle.com/security-alerts/cpujul2022.html" ], "description": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "metrics": { "baseScore": 7.5, "exploitabilityScore": 10, "impactScore": 6.4 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "metrics": { "baseScore": 9.8, "exploitabilityScore": 3.9, "impactScore": 5.9 }, "vendorMetadata": {} } ] } ], "matchDetails": [ { "type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": { "language": "java", "namespace": "github:language:java" }, "found": { "versionConstraint": "<2.5.12 (unknown)" } } ], "artifact": { "name": "spring-boot-starter-web", "version": "", "type": "java-archive", "locations": [ { "path": "pom.xml" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:spring-boot-starter-web:spring-boot-starter-web:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring-boot-starter-web:spring_boot_starter_web:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring_boot_starter_web:spring-boot-starter-web:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring_boot_starter_web:spring_boot_starter_web:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring-boot-starter:spring-boot-starter-web:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring-boot-starter:spring_boot_starter_web:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring_boot_starter:spring-boot-starter-web:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring_boot_starter:spring_boot_starter_web:*:*:*:*:*:*:*:*", "cpe:2.3:a:springframework:spring-boot-starter-web:*:*:*:*:*:*:*:*", "cpe:2.3:a:springframework:spring_boot_starter_web:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring-boot:spring-boot-starter-web:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring-boot:spring_boot_starter_web:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring_boot:spring-boot-starter-web:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring_boot:spring_boot_starter_web:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring:spring-boot-starter-web:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring:spring_boot_starter_web:*:*:*:*:*:*:*:*", "cpe:2.3:a:boot:spring-boot-starter-web:*:*:*:*:*:*:*:*", "cpe:2.3:a:boot:spring_boot_starter_web:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring-boot-starter-web:boot:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring_boot_starter_web:boot:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring-boot-starter:boot:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring_boot_starter:boot:*:*:*:*:*:*:*:*", "cpe:2.3:a:springframework:boot:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring-boot:boot:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring_boot:boot:*:*:*:*:*:*:*:*", "cpe:2.3:a:spring:boot:*:*:*:*:*:*:*:*", "cpe:2.3:a:boot:boot:*:*:*:*:*:*:*:*" ], "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-web", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "", "pomArtifactID": "", "pomGroupID": "org.springframework.boot", "manifestName": "", "archiveDigests": null } } }, { "vulnerability": { "id": "GHSA-3f7h-mf4q-vrm4", "dataSource": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", "namespace": "github:language:java", "severity": "Low", "urls": [ "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4" ], "description": "Denial of Service due to parser crash", "cvss": [], "fix": { "versions": [ "6.4.0" ], "state": "fixed" }, "advisories": [] }, "relatedVulnerabilities": [ { "id": "CVE-2022-40152", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434", "https://github.com/x-stream/xstream/issues/304" ], "description": "Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", "cvss": [ { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ] } ], "matchDetails": [ { "type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": { "language": "java", "namespace": "github:language:java" }, "found": { "versionConstraint": ">=6.0.0,<6.4.0 (unknown)" } } ], "artifact": { "name": "woodstox-core", "version": "6.3.1", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:woodstox-core:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox-core:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox-core:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox:6.3.1:*:*:*:*:*:*:*" ], "purl": "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.3.1", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/woodstox-core-6.3.1.jar", "pomArtifactID": "woodstox-core", "pomGroupID": "com.fasterxml.woodstox", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "bf29b07ca4dd81ef3c0bc18c8bd5617510a81c5d" } ] } } }, { "vulnerability": { "id": "GHSA-4rv7-wj6m-6c6r", "dataSource": "https://github.com/advisories/GHSA-4rv7-wj6m-6c6r", "namespace": "github:language:java", "severity": "Low", "urls": [ "https://github.com/advisories/GHSA-4rv7-wj6m-6c6r" ], "description": "Denial of Service due to parser crash", "cvss": [], "fix": { "versions": [ "6.4.0" ], "state": "fixed" }, "advisories": [] }, "relatedVulnerabilities": [ { "id": "CVE-2022-40156", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40156", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50841", "https://github.com/x-stream/xstream/issues/304" ], "description": "Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", "cvss": [ { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ] } ], "matchDetails": [ { "type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": { "language": "java", "namespace": "github:language:java" }, "found": { "versionConstraint": ">=6.0.0,<6.4.0 (unknown)" } } ], "artifact": { "name": "woodstox-core", "version": "6.3.1", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:woodstox-core:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox-core:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox-core:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox:6.3.1:*:*:*:*:*:*:*" ], "purl": "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.3.1", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/woodstox-core-6.3.1.jar", "pomArtifactID": "woodstox-core", "pomGroupID": "com.fasterxml.woodstox", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "bf29b07ca4dd81ef3c0bc18c8bd5617510a81c5d" } ] } } }, { "vulnerability": { "id": "GHSA-5hc5-c3m9-8vcj", "dataSource": "https://github.com/advisories/GHSA-5hc5-c3m9-8vcj", "namespace": "github:language:java", "severity": "Low", "urls": [ "https://github.com/advisories/GHSA-5hc5-c3m9-8vcj" ], "description": "Denial of Service via stack overflow", "cvss": [], "fix": { "versions": [ "6.4.0" ], "state": "fixed" }, "advisories": [] }, "relatedVulnerabilities": [ { "id": "CVE-2022-40155", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40155", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50428", "https://github.com/x-stream/xstream/issues/304" ], "description": "Those using Xstream to serialise XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", "cvss": [ { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ] } ], "matchDetails": [ { "type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": { "language": "java", "namespace": "github:language:java" }, "found": { "versionConstraint": ">=6.0.0,<6.4.0 (unknown)" } } ], "artifact": { "name": "woodstox-core", "version": "6.3.1", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:woodstox-core:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox-core:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox-core:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox:6.3.1:*:*:*:*:*:*:*" ], "purl": "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.3.1", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/woodstox-core-6.3.1.jar", "pomArtifactID": "woodstox-core", "pomGroupID": "com.fasterxml.woodstox", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "bf29b07ca4dd81ef3c0bc18c8bd5617510a81c5d" } ] } } }, { "vulnerability": { "id": "GHSA-9fwf-46g9-45rx", "dataSource": "https://github.com/advisories/GHSA-9fwf-46g9-45rx", "namespace": "github:language:java", "severity": "Low", "urls": [ "https://github.com/advisories/GHSA-9fwf-46g9-45rx" ], "description": "Denial of Service via stack overflow", "cvss": [], "fix": { "versions": [ "6.4.0" ], "state": "fixed" }, "advisories": [] }, "relatedVulnerabilities": [ { "id": "CVE-2022-40154", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40154", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50393", "https://github.com/x-stream/xstream/issues/304" ], "description": "Those using Xstream to serialise XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", "cvss": [ { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ] } ], "matchDetails": [ { "type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": { "language": "java", "namespace": "github:language:java" }, "found": { "versionConstraint": ">=6.0.0,<6.4.0 (unknown)" } } ], "artifact": { "name": "woodstox-core", "version": "6.3.1", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:woodstox-core:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox-core:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox-core:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox:6.3.1:*:*:*:*:*:*:*" ], "purl": "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.3.1", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/woodstox-core-6.3.1.jar", "pomArtifactID": "woodstox-core", "pomGroupID": "com.fasterxml.woodstox", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "bf29b07ca4dd81ef3c0bc18c8bd5617510a81c5d" } ] } } }, { "vulnerability": { "id": "GHSA-fv22-xp26-mm9w", "dataSource": "https://github.com/advisories/GHSA-fv22-xp26-mm9w", "namespace": "github:language:java", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-fv22-xp26-mm9w" ], "description": "Denial of Service due to parser crash", "cvss": [], "fix": { "versions": [ "6.4.0" ], "state": "fixed" }, "advisories": [] }, "relatedVulnerabilities": [ { "id": "CVE-2022-40153", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40153", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49858", "https://github.com/x-stream/xstream/issues/304" ], "description": "Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", "cvss": [ { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ] } ], "matchDetails": [ { "type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": { "language": "java", "namespace": "github:language:java" }, "found": { "versionConstraint": ">=6.0.0,<6.4.0 (unknown)" } } ], "artifact": { "name": "woodstox-core", "version": "6.3.1", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:woodstox-core:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox-core:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox-core:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox-core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox_core:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox_core:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:fasterxml:woodstox:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:woodstox:woodstox:6.3.1:*:*:*:*:*:*:*" ], "purl": "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.3.1", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/woodstox-core-6.3.1.jar", "pomArtifactID": "woodstox-core", "pomGroupID": "com.fasterxml.woodstox", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "bf29b07ca4dd81ef3c0bc18c8bd5617510a81c5d" } ] } } } ], "ignoredMatches": [ { "vulnerability": { "id": "CVE-2014-3488", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2014-3488", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ "http://netty.io/news/2014/06/11/3-9-2-Final.html", "https://github.com/netty/netty/commit/2fa9400a59d0563a66908aba55c41e7285a04994", "https://github.com/netty/netty/issues/2562", "http://secunia.com/advisories/59196", "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" ], "description": "The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": { "baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "= 3.6.1 || = 3.6.2 || = 3.6.3 || = 3.6.4 || = 3.6.5 || = 3.6.6 || = 3.6.7 || = 3.6.8 || = 3.7.0 || = 3.8.1 || = 3.8.0 || <= 3.9.1.1 || = 3.9.0 || = 3.6.0 || = 3.9.1 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-core", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-core/reactor-netty-core@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-core-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "feaecb39237170aafb23935e9b383e8dda281379" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2014-3488" } ] }, { "vulnerability": { "id": "CVE-2014-3488", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2014-3488", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ "http://netty.io/news/2014/06/11/3-9-2-Final.html", "https://github.com/netty/netty/commit/2fa9400a59d0563a66908aba55c41e7285a04994", "https://github.com/netty/netty/issues/2562", "http://secunia.com/advisories/59196", "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" ], "description": "The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": { "baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "= 3.6.1 || = 3.6.2 || = 3.6.3 || = 3.6.4 || = 3.6.5 || = 3.6.6 || = 3.6.7 || = 3.6.8 || = 3.7.0 || = 3.8.1 || = 3.8.0 || <= 3.9.1.1 || = 3.9.0 || = 3.6.0 || = 3.9.1 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-http", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-http/reactor-netty-http@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-http-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "2fac480a17f752335318f103ab91427bdfb7716a" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2014-3488" } ] }, { "vulnerability": { "id": "CVE-2015-2156", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2015-2156", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass", "https://github.com/netty/netty/pull/3754", "https://bugzilla.redhat.com/show_bug.cgi?id=1222923", "http://www.securityfocus.com/bid/74704", "http://www.openwall.com/lists/oss-security/2015/05/17/1", "http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html", "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html", "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html", "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" ], "description": "Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "metrics": { "baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "= 4.0.16 || = 4.0.17 || = 4.0.18 || = 4.0.19 || = 4.0.20 || = 4.0.21 || = 4.0.22 || = 4.0.23 || = 4.0.24 || = 4.0.3 || = 4.0.4 || = 4.0.11 || = 4.0.1 || = 4.0.2 || = 4.0.9 || = 4.0.10 || = 4.0.25 || = 4.0.26 || = 4.0.27 || <= 3.9.7 || = 3.10.0 || = 4.0.5 || = 4.0.6 || = 3.10.1 || = 3.10.2 || = 4.0.7 || = 4.0.8 || = 4.0.12 || = 4.1.0 || = 4.1.0 || = 4.0.0 || = 4.0.13 || = 4.0.14 || = 4.1.0 || = 4.1.0 || = 4.0.15 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-core", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-core/reactor-netty-core@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-core-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "feaecb39237170aafb23935e9b383e8dda281379" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2015-2156" } ] }, { "vulnerability": { "id": "CVE-2015-2156", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2015-2156", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass", "https://github.com/netty/netty/pull/3754", "https://bugzilla.redhat.com/show_bug.cgi?id=1222923", "http://www.securityfocus.com/bid/74704", "http://www.openwall.com/lists/oss-security/2015/05/17/1", "http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html", "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html", "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html", "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" ], "description": "Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "metrics": { "baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "= 4.0.16 || = 4.0.17 || = 4.0.18 || = 4.0.19 || = 4.0.20 || = 4.0.21 || = 4.0.22 || = 4.0.23 || = 4.0.24 || = 4.0.3 || = 4.0.4 || = 4.0.11 || = 4.0.1 || = 4.0.2 || = 4.0.9 || = 4.0.10 || = 4.0.25 || = 4.0.26 || = 4.0.27 || <= 3.9.7 || = 3.10.0 || = 4.0.5 || = 4.0.6 || = 3.10.1 || = 3.10.2 || = 4.0.7 || = 4.0.8 || = 4.0.12 || = 4.1.0 || = 4.1.0 || = 4.0.0 || = 4.0.13 || = 4.0.14 || = 4.1.0 || = 4.1.0 || = 4.0.15 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-http", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-http/reactor-netty-http@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-http-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "2fac480a17f752335318f103ab91427bdfb7716a" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2015-2156" } ] }, { "vulnerability": { "id": "CVE-2016-1000027", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000027", "namespace": "nvd:cpe", "severity": "Critical", "urls": [ "https://security-tracker.debian.org/tracker/CVE-2016-1000027", "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000027.json", "https://www.tenable.com/security/research/tra-2016-20", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027", "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417", "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626", "https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now", "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525" ], "description": "Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "metrics": { "baseScore": 7.5, "exploitabilityScore": 10, "impactScore": 6.4 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "metrics": { "baseScore": 9.8, "exploitabilityScore": 3.9, "impactScore": 5.9 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:vmware:spring_framework:5.3.23:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 6.0.0 (unknown)", "cpes": [ "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "spring-core", "version": "5.3.23", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:springsource-spring-framework:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring_framework:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource-spring:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-framework:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_framework:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource-spring-framework:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring_framework:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-core:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_core:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource-spring-framework:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource-spring-framework:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring_framework:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring_framework:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource-spring:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-framework:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_framework:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource-spring:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource-spring:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-core:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-framework:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-framework:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_core:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_framework:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_framework:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-core:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-core:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_core:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_core:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:spring_core:5.3.23:*:*:*:*:*:*:*" ], "purl": "pkg:maven/spring-core/spring-core@5.3.23", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/spring-core-5.3.23.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "91407dc1106ea423c44150f3da1a0b4f8e25e5ca" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2016-1000027" } ] }, { "vulnerability": { "id": "CVE-2019-16869", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/netty/netty/issues/9571", "https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final", "https://lists.apache.org/thread.html/9128111213b7b734ffc85db08d8f789b00a85a7f241b708e55debbd0@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/6e1e34c0d5635a987d595df9e532edac212307243bb1b49eead6d55b@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/e39931d7cdd17241e69a0a09a89d99d7435bcc59afee8a9628d67769@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/2494a2ac7f66af6e4646a4937b17972a4ec7cd3c7333c66ffd6c639d@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/76540c8b0ed761bfa6c81fa28c13057f13a5448aed079d656f6a3c79@%3Cissues.zookeeper.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2019/09/msg00035.html", "https://lists.apache.org/thread.html/d3eb0dbea75ef5c400bd49dfa1901ad50be606cca3cb29e0d01b6a54@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/3e6d7aae1cca10257e3caf2d69b22f74c875f12a1314155af422569d@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/37ed432b8eb35d8bd757f53783ec3e334bd51f514534432bea7f1c3d@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/bdf7a5e597346a75d2d884ca48c767525e35137ad59d8f10b8fc943c@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/cf5aa087632ead838f8ac3a42e9837684e7afe6e0fcb7704e0c73bc0@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/380f6d2730603a2cd6b0a8bea9bcb21a86c199147e77e448c5f7390b@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/cbf6e6a04cb37e9320ad20e437df63beeab1755fc0761918ed5c5a6e@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/2e1cf538b502713c2c42ffa46d81f4688edb5676eb55bd9fc4b4fed7@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/a0f77c73af32cbe4ff0968bfcbbe80ae6361f3dccdd46f3177547266@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/b2cd51795f938632c6f60a4c59d9e587fbacd7f7d0e0a3684850a30f@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", "https://lists.apache.org/thread.html/e192fe8797c192679759ffa6b15e4d0806546945a41d8ebfbc6ee3ac@%3Ccommits.tinkerpop.apache.org%3E", "https://lists.apache.org/thread.html/d14f721e0099b914daebe29bca199fde85d8354253be9d6d3d46507a@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/f6c5ebfb018787c764f000362d59e4b231c0a36b6253aa866de8c64e@%3Ccommits.cassandra.apache.org%3E", "https://access.redhat.com/errata/RHSA-2019:3892", "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E", "https://access.redhat.com/errata/RHSA-2019:3901", "https://lists.apache.org/thread.html/d7d530599dc7813056c712213e367b68cdf56fb5c9b73f864870bc4c@%3Cdev.olingo.apache.org%3E", "https://lists.apache.org/thread.html/6063699b87b501ecca8dd3b0e82251bfc85f29363a9b46ac5ace80cf@%3Cdev.olingo.apache.org%3E", "https://lists.apache.org/thread.html/19fed892608db1efe5a5ce14372137669ff639df0205323959af7de3@%3Cdev.olingo.apache.org%3E", "https://lists.apache.org/thread.html/af6e9c2d716868606523857a4cd7a5ee506e6d1710f5fb0d567ec030@%3Cdev.olingo.apache.org%3E", "https://lists.apache.org/thread.html/b264fa5801e87698e9f43f2b5585fbc5ebdc26c6f4aad861b258fb69@%3Cdev.olingo.apache.org%3E", "https://lists.apache.org/thread.html/b3dda6399a0ea2b647624b899fd330fca81834e41b13e3e11e1002d8@%3Cdev.olingo.apache.org%3E", "https://lists.apache.org/thread.html/ee6faea9e542c0b90afd70297a9daa203e20d41aa2ac7fca6703662f@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/860acce024d79837e963a51a42bab2cef8e8d017aad2b455ecd1dcf0@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/0acadfb96176768caac79b404110df62d14d30aa9d53b6dbdb1407ac@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/b3ddeebbfaf8a288d7de8ab2611cf2609ab76b9809f0633248546b7c@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/51923a9ba513b2e816e02a9d1fd8aa6f12e3e4e99bbd9dc884bccbbe@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/799eb85d67cbddc1851a3e63a07b55e95b2f44f1685225d38570ce89@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/64b10f49c68333aaecf00348c5670fe182e49fd60d45c4a3ab241f8b@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/681493a2f9b63f5b468f741d88d1aa51b2cfcf7a1c5b74ea8c4343fb@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/35961d1ae00849974353a932b4fef12ebce074541552eceefa04f1fd@%3Cdev.olingo.apache.org%3E", "https://www.debian.org/security/2020/dsa-4597", "https://seclists.org/bugtraq/2020/Jan/6", "https://access.redhat.com/errata/RHSA-2020:0164", "https://access.redhat.com/errata/RHSA-2020:0159", "https://access.redhat.com/errata/RHSA-2020:0160", "https://access.redhat.com/errata/RHSA-2020:0161", "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E", "https://access.redhat.com/errata/RHSA-2020:0445", "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html", "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html", "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E", "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E", "https://usn.ubuntu.com/4532-1/", "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E", "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r831e0548fad736a98140d0b3b7dc575af0c50faea0b266434ba813cc@%3Cdev.rocketmq.apache.org%3E", "https://lists.apache.org/thread.html/rb25b42f666d2cac5e6e6b3f771faf60d1f1aa58073dcdd8db14edf8a@%3Cdev.rocketmq.apache.org%3E", "https://lists.apache.org/thread.html/rcddf723a4b4117f8ed6042e9ac25e8c5110a617bab77694b61b14833@%3Cdev.rocketmq.apache.org%3E", "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/r73c400ab66d79821dec9e3472f0e2c048d528672bdb0f8bf44d7cb1f@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/r3225f7dfe6b8a37e800ecb8e31abd7ac6c4312dbd3223dd8139c37bb@%3Ccommits.cassandra.apache.org%3E" ], "description": "Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a \"Transfer-Encoding : chunked\" line), which leads to HTTP request smuggling.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "metrics": { "baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.42 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-core", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-core/reactor-netty-core@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-core-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "feaecb39237170aafb23935e9b383e8dda281379" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2019-16869" } ] }, { "vulnerability": { "id": "CVE-2019-16869", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/netty/netty/issues/9571", "https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final", "https://lists.apache.org/thread.html/9128111213b7b734ffc85db08d8f789b00a85a7f241b708e55debbd0@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/6e1e34c0d5635a987d595df9e532edac212307243bb1b49eead6d55b@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/e39931d7cdd17241e69a0a09a89d99d7435bcc59afee8a9628d67769@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/2494a2ac7f66af6e4646a4937b17972a4ec7cd3c7333c66ffd6c639d@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/76540c8b0ed761bfa6c81fa28c13057f13a5448aed079d656f6a3c79@%3Cissues.zookeeper.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2019/09/msg00035.html", "https://lists.apache.org/thread.html/d3eb0dbea75ef5c400bd49dfa1901ad50be606cca3cb29e0d01b6a54@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/3e6d7aae1cca10257e3caf2d69b22f74c875f12a1314155af422569d@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/37ed432b8eb35d8bd757f53783ec3e334bd51f514534432bea7f1c3d@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/bdf7a5e597346a75d2d884ca48c767525e35137ad59d8f10b8fc943c@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/cf5aa087632ead838f8ac3a42e9837684e7afe6e0fcb7704e0c73bc0@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/380f6d2730603a2cd6b0a8bea9bcb21a86c199147e77e448c5f7390b@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/cbf6e6a04cb37e9320ad20e437df63beeab1755fc0761918ed5c5a6e@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/2e1cf538b502713c2c42ffa46d81f4688edb5676eb55bd9fc4b4fed7@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/a0f77c73af32cbe4ff0968bfcbbe80ae6361f3dccdd46f3177547266@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/b2cd51795f938632c6f60a4c59d9e587fbacd7f7d0e0a3684850a30f@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", "https://lists.apache.org/thread.html/e192fe8797c192679759ffa6b15e4d0806546945a41d8ebfbc6ee3ac@%3Ccommits.tinkerpop.apache.org%3E", "https://lists.apache.org/thread.html/d14f721e0099b914daebe29bca199fde85d8354253be9d6d3d46507a@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/f6c5ebfb018787c764f000362d59e4b231c0a36b6253aa866de8c64e@%3Ccommits.cassandra.apache.org%3E", "https://access.redhat.com/errata/RHSA-2019:3892", "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E", "https://access.redhat.com/errata/RHSA-2019:3901", "https://lists.apache.org/thread.html/d7d530599dc7813056c712213e367b68cdf56fb5c9b73f864870bc4c@%3Cdev.olingo.apache.org%3E", "https://lists.apache.org/thread.html/6063699b87b501ecca8dd3b0e82251bfc85f29363a9b46ac5ace80cf@%3Cdev.olingo.apache.org%3E", "https://lists.apache.org/thread.html/19fed892608db1efe5a5ce14372137669ff639df0205323959af7de3@%3Cdev.olingo.apache.org%3E", "https://lists.apache.org/thread.html/af6e9c2d716868606523857a4cd7a5ee506e6d1710f5fb0d567ec030@%3Cdev.olingo.apache.org%3E", "https://lists.apache.org/thread.html/b264fa5801e87698e9f43f2b5585fbc5ebdc26c6f4aad861b258fb69@%3Cdev.olingo.apache.org%3E", "https://lists.apache.org/thread.html/b3dda6399a0ea2b647624b899fd330fca81834e41b13e3e11e1002d8@%3Cdev.olingo.apache.org%3E", "https://lists.apache.org/thread.html/ee6faea9e542c0b90afd70297a9daa203e20d41aa2ac7fca6703662f@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/860acce024d79837e963a51a42bab2cef8e8d017aad2b455ecd1dcf0@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/0acadfb96176768caac79b404110df62d14d30aa9d53b6dbdb1407ac@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/b3ddeebbfaf8a288d7de8ab2611cf2609ab76b9809f0633248546b7c@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/51923a9ba513b2e816e02a9d1fd8aa6f12e3e4e99bbd9dc884bccbbe@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/799eb85d67cbddc1851a3e63a07b55e95b2f44f1685225d38570ce89@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/64b10f49c68333aaecf00348c5670fe182e49fd60d45c4a3ab241f8b@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/681493a2f9b63f5b468f741d88d1aa51b2cfcf7a1c5b74ea8c4343fb@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/35961d1ae00849974353a932b4fef12ebce074541552eceefa04f1fd@%3Cdev.olingo.apache.org%3E", "https://www.debian.org/security/2020/dsa-4597", "https://seclists.org/bugtraq/2020/Jan/6", "https://access.redhat.com/errata/RHSA-2020:0164", "https://access.redhat.com/errata/RHSA-2020:0159", "https://access.redhat.com/errata/RHSA-2020:0160", "https://access.redhat.com/errata/RHSA-2020:0161", "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E", "https://access.redhat.com/errata/RHSA-2020:0445", "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html", "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html", "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E", "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E", "https://usn.ubuntu.com/4532-1/", "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E", "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r831e0548fad736a98140d0b3b7dc575af0c50faea0b266434ba813cc@%3Cdev.rocketmq.apache.org%3E", "https://lists.apache.org/thread.html/rb25b42f666d2cac5e6e6b3f771faf60d1f1aa58073dcdd8db14edf8a@%3Cdev.rocketmq.apache.org%3E", "https://lists.apache.org/thread.html/rcddf723a4b4117f8ed6042e9ac25e8c5110a617bab77694b61b14833@%3Cdev.rocketmq.apache.org%3E", "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/r73c400ab66d79821dec9e3472f0e2c048d528672bdb0f8bf44d7cb1f@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/r3225f7dfe6b8a37e800ecb8e31abd7ac6c4312dbd3223dd8139c37bb@%3Ccommits.cassandra.apache.org%3E" ], "description": "Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a \"Transfer-Encoding : chunked\" line), which leads to HTTP request smuggling.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "metrics": { "baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.42 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-http", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-http/reactor-netty-http@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-http-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "2fac480a17f752335318f103ab91427bdfb7716a" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2019-16869" } ] }, { "vulnerability": { "id": "CVE-2019-20444", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444", "namespace": "nvd:cpe", "severity": "Critical", "urls": [ "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final", "https://github.com/netty/netty/issues/9866", "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E", "https://access.redhat.com/errata/RHSA-2020:0497", "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html", "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html", "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E", "https://access.redhat.com/errata/RHSA-2020:0601", "https://access.redhat.com/errata/RHSA-2020:0606", "https://access.redhat.com/errata/RHSA-2020:0605", "https://access.redhat.com/errata/RHSA-2020:0567", "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E", "https://access.redhat.com/errata/RHSA-2020:0811", "https://access.redhat.com/errata/RHSA-2020:0804", "https://access.redhat.com/errata/RHSA-2020:0805", "https://access.redhat.com/errata/RHSA-2020:0806", "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E", "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E", "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html", "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html", "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E", "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E", "https://usn.ubuntu.com/4532-1/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/", "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E", "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E", "https://www.debian.org/security/2021/dsa-4885", "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E" ], "description": "HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an \"invalid fold.\"", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "metrics": { "baseScore": 6.4, "exploitabilityScore": 10, "impactScore": 4.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "metrics": { "baseScore": 9.1, "exploitabilityScore": 3.9, "impactScore": 5.2 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.44 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-core", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-core/reactor-netty-core@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-core-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "feaecb39237170aafb23935e9b383e8dda281379" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2019-20444" } ] }, { "vulnerability": { "id": "CVE-2019-20444", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444", "namespace": "nvd:cpe", "severity": "Critical", "urls": [ "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final", "https://github.com/netty/netty/issues/9866", "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E", "https://access.redhat.com/errata/RHSA-2020:0497", "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html", "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html", "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E", "https://access.redhat.com/errata/RHSA-2020:0601", "https://access.redhat.com/errata/RHSA-2020:0606", "https://access.redhat.com/errata/RHSA-2020:0605", "https://access.redhat.com/errata/RHSA-2020:0567", "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E", "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E", "https://access.redhat.com/errata/RHSA-2020:0811", "https://access.redhat.com/errata/RHSA-2020:0804", "https://access.redhat.com/errata/RHSA-2020:0805", "https://access.redhat.com/errata/RHSA-2020:0806", "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E", "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E", "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html", "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html", "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E", "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E", "https://usn.ubuntu.com/4532-1/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/", "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E", "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E", "https://www.debian.org/security/2021/dsa-4885", "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E" ], "description": "HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an \"invalid fold.\"", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "metrics": { "baseScore": 6.4, "exploitabilityScore": 10, "impactScore": 4.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "metrics": { "baseScore": 9.1, "exploitabilityScore": 3.9, "impactScore": 5.2 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.44 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-http", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-http/reactor-netty-http@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-http-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "2fac480a17f752335318f103ab91427bdfb7716a" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2019-20444" } ] }, { "vulnerability": { "id": "CVE-2019-20445", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445", "namespace": "nvd:cpe", "severity": "Critical", "urls": [ "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final", "https://github.com/netty/netty/issues/9861", "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E", "https://access.redhat.com/errata/RHSA-2020:0497", "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html", "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html", "https://access.redhat.com/errata/RHSA-2020:0601", "https://access.redhat.com/errata/RHSA-2020:0606", "https://access.redhat.com/errata/RHSA-2020:0605", "https://access.redhat.com/errata/RHSA-2020:0567", "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d@%3Creviews.spark.apache.org%3E", "https://access.redhat.com/errata/RHSA-2020:0811", "https://access.redhat.com/errata/RHSA-2020:0804", "https://access.redhat.com/errata/RHSA-2020:0805", "https://access.redhat.com/errata/RHSA-2020:0806", "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E", "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E", "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74@%3Cissues.flume.apache.org%3E", "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663@%3Cissues.flume.apache.org%3E", "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2@%3Cissues.flume.apache.org%3E", "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html", "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html", "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E", "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E", "https://usn.ubuntu.com/4532-1/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/", "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E", "https://www.debian.org/security/2021/dsa-4885", "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E" ], "description": "HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "metrics": { "baseScore": 6.4, "exploitabilityScore": 10, "impactScore": 4.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "metrics": { "baseScore": 9.1, "exploitabilityScore": 3.9, "impactScore": 5.2 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.44 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-core", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-core/reactor-netty-core@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-core-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "feaecb39237170aafb23935e9b383e8dda281379" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2019-20445" } ] }, { "vulnerability": { "id": "CVE-2019-20445", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445", "namespace": "nvd:cpe", "severity": "Critical", "urls": [ "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final", "https://github.com/netty/netty/issues/9861", "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E", "https://access.redhat.com/errata/RHSA-2020:0497", "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html", "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html", "https://access.redhat.com/errata/RHSA-2020:0601", "https://access.redhat.com/errata/RHSA-2020:0606", "https://access.redhat.com/errata/RHSA-2020:0605", "https://access.redhat.com/errata/RHSA-2020:0567", "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11@%3Cissues.spark.apache.org%3E", "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d@%3Creviews.spark.apache.org%3E", "https://access.redhat.com/errata/RHSA-2020:0811", "https://access.redhat.com/errata/RHSA-2020:0804", "https://access.redhat.com/errata/RHSA-2020:0805", "https://access.redhat.com/errata/RHSA-2020:0806", "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E", "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E", "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74@%3Cissues.flume.apache.org%3E", "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663@%3Cissues.flume.apache.org%3E", "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2@%3Cissues.flume.apache.org%3E", "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E", "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html", "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html", "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E", "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E", "https://usn.ubuntu.com/4532-1/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/", "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E", "https://www.debian.org/security/2021/dsa-4885", "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E" ], "description": "HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "metrics": { "baseScore": 6.4, "exploitabilityScore": 10, "impactScore": 4.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "metrics": { "baseScore": 9.1, "exploitabilityScore": 3.9, "impactScore": 5.2 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.44 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-http", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-http/reactor-netty-http@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-http-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "2fac480a17f752335318f103ab91427bdfb7716a" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2019-20445" } ] }, { "vulnerability": { "id": "CVE-2021-21290", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2", "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec", "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html", "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f@%3Ccommits.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214@%3Ccommits.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020@%3Cdev.tinkerpop.apache.org%3E", "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E", "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E", "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E", "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E", "https://www.debian.org/security/2021/dsa-4885", "https://www.oracle.com/security-alerts/cpuApr2021.html", "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29@%3Cusers.activemq.apache.org%3E", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E", "https://security.netapp.com/advisory/ntap-20220210-0011/", "https://www.oracle.com/security-alerts/cpuapr2022.html" ], "description": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method \"File.createTempFile\" on unix-like systems creates a random file, but, by default will create this file with the permissions \"-rw-r--r--\". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's \"AbstractDiskHttpData\" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own \"java.io.tmpdir\" when you start the JVM or use \"DefaultHttpDataFactory.setBaseDir(...)\" to set the directory to something that is only readable by the current user.", "cvss": [ { "version": "2.0", "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "metrics": { "baseScore": 1.9, "exploitabilityScore": 3.4, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "metrics": { "baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.59 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-core", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-core/reactor-netty-core@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-core-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "feaecb39237170aafb23935e9b383e8dda281379" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2021-21290" } ] }, { "vulnerability": { "id": "CVE-2021-21290", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2", "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec", "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html", "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f@%3Ccommits.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214@%3Ccommits.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020@%3Cdev.tinkerpop.apache.org%3E", "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E", "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E", "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E", "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E", "https://www.debian.org/security/2021/dsa-4885", "https://www.oracle.com/security-alerts/cpuApr2021.html", "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29@%3Cusers.activemq.apache.org%3E", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E", "https://security.netapp.com/advisory/ntap-20220210-0011/", "https://www.oracle.com/security-alerts/cpuapr2022.html" ], "description": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method \"File.createTempFile\" on unix-like systems creates a random file, but, by default will create this file with the permissions \"-rw-r--r--\". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's \"AbstractDiskHttpData\" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own \"java.io.tmpdir\" when you start the JVM or use \"DefaultHttpDataFactory.setBaseDir(...)\" to set the directory to something that is only readable by the current user.", "cvss": [ { "version": "2.0", "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "metrics": { "baseScore": 1.9, "exploitabilityScore": 3.4, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "metrics": { "baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.59 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-http", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-http/reactor-netty-http@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-http-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "2fac480a17f752335318f103ab91427bdfb7716a" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2021-21290" } ] }, { "vulnerability": { "id": "CVE-2021-21295", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", "https://github.com/Netflix/zuul/pull/980", "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4", "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E", "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E", "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E", "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8@%3Ccommits.hbase.apache.org%3E", "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd@%3Cdev.hbase.apache.org%3E", "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190@%3Cissues.hbase.apache.org%3E", "https://www.debian.org/security/2021/dsa-4885", "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E", "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E", "https://security.netapp.com/advisory/ntap-20210604-0003/", "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3@%3Cdev.jackrabbit.apache.org%3E", "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E", "https://www.oracle.com/security-alerts/cpuapr2022.html" ], "description": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "metrics": { "baseScore": 2.6, "exploitabilityScore": 4.9, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { "baseScore": 5.9, "exploitabilityScore": 2.2, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.60 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-core", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-core/reactor-netty-core@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-core-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "feaecb39237170aafb23935e9b383e8dda281379" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2021-21295" } ] }, { "vulnerability": { "id": "CVE-2021-21295", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", "https://github.com/Netflix/zuul/pull/980", "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4", "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E", "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E", "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E", "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8@%3Ccommits.hbase.apache.org%3E", "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1@%3Cissues.hbase.apache.org%3E", "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd@%3Cdev.hbase.apache.org%3E", "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190@%3Cissues.hbase.apache.org%3E", "https://www.debian.org/security/2021/dsa-4885", "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E", "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E", "https://security.netapp.com/advisory/ntap-20210604-0003/", "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3@%3Cdev.jackrabbit.apache.org%3E", "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E", "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E", "https://www.oracle.com/security-alerts/cpuapr2022.html" ], "description": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "metrics": { "baseScore": 2.6, "exploitabilityScore": 4.9, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { "baseScore": 5.9, "exploitabilityScore": 2.2, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.60 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-http", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-http/reactor-netty-http@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-http-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "2fac480a17f752335318f103ab91427bdfb7716a" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2021-21295" } ] }, { "vulnerability": { "id": "CVE-2021-21409", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295", "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432", "https://www.debian.org/security/2021/dsa-4885", "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E", "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3Cnotifications.zookeeper.apache.org%3E", "https://security.netapp.com/advisory/ntap-20210604-0003/", "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3Ccommits.zookeeper.apache.org%3E", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://www.oracle.com/security-alerts/cpuapr2022.html" ], "description": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "metrics": { "baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { "baseScore": 5.9, "exploitabilityScore": 2.2, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.61 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-core", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-core/reactor-netty-core@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-core-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "feaecb39237170aafb23935e9b383e8dda281379" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2021-21409" } ] }, { "vulnerability": { "id": "CVE-2021-21409", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295", "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432", "https://www.debian.org/security/2021/dsa-4885", "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3Ccommits.pulsar.apache.org%3E", "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E", "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3Cnotifications.zookeeper.apache.org%3E", "https://security.netapp.com/advisory/ntap-20210604-0003/", "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E", "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3Cnotifications.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E", "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3Cdev.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3Cissues.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3Ccommits.zookeeper.apache.org%3E", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://www.oracle.com/security-alerts/cpuapr2022.html" ], "description": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "metrics": { "baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { "baseScore": 5.9, "exploitabilityScore": 2.2, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.61 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-http", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-http/reactor-netty-http@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-http-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "2fac480a17f752335318f103ab91427bdfb7716a" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2021-21409" } ] }, { "vulnerability": { "id": "CVE-2021-26291", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291", "namespace": "nvd:cpe", "severity": "Critical", "urls": [ "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E", "https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d16d139e5e1027c@%3Cdev.maven.apache.org%3E", "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00@%3Cusers.maven.apache.org%3E", "http://www.openwall.com/lists/oss-security/2021/04/23/5", "https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736@%3Cannounce.apache.org%3E", "https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5dfcbfdde7b6457@%3Cdev.jena.apache.org%3E", "https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa2493ea82732381@%3Cdev.jena.apache.org%3E", "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594@%3Cdev.myfaces.apache.org%3E", "https://lists.apache.org/thread.html/r86e1c81e03f441855f127980e9b3d41939d04a7caea2b7ab718e2288@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/red3bf6cbfd99e36b0c0a4fa1cea1eef1eb300c6bd8f372f497341265@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cdfcb950bff48d40@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57bd884722bc28f52@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba974681907f97e7dc8e@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r5ae6aaa8a2ce86145225c3516bb45d315c0454e3765d651527e5df8a@%3Ccommits.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rc7ae2530063d1cd1cf8e9fa130d10940760f927168d4063d23b8cd0a@%3Ccommits.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r86aebd0387ae19b740b3eb28bad83fe6aceca0d6257eaa810a6e0002@%3Ccommits.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18cb2485d11038aa6@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c96f5b45104fc61@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E", "https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/", "https://lists.apache.org/thread.html/r71bc13669be84c2ff45b74a67929bc2da905c152e12a39b406e3c2a0@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/r53cd5de57aaa126038c5301d8f518f3defab3c5b1c7e17c97bad08d8@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/r74329c671df713f61ae4620ee2452a0443ccad7f33c60e8ed7d21ff9@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4daed6d87db8e4a9@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/r52c6cda14dc6315dc79e72d30109f4589e9c6300ef6dc1a019da32d4@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/r96cc126d3ee9aa42af9d3bb4baa94828b0a5f656584a50dcc594125f@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/ra9d984eccfd2ae7726671e025f0296bf03786e5cdf872138110ac29b@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867deb2cd96788478@%3Cjira.kafka.apache.org%3E", "https://lists.apache.org/thread.html/re75f8b3dbc5faa1640908f87e644d373e00f8b4e6ba3e2ba4bd2c80b@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe4f0413bcb355b0@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402@%3Cissues.karaf.apache.org%3E", "https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c@%3Cissues.karaf.apache.org%3E", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://www.oracle.com/security-alerts/cpujul2022.html" ], "description": "Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "metrics": { "baseScore": 6.4, "exploitabilityScore": 10, "impactScore": 4.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "metrics": { "baseScore": 9.1, "exploitabilityScore": 3.9, "impactScore": 5.2 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:apache:maven:3.1.0:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 3.8.1 (unknown)", "cpes": [ "cpe:2.3:a:apache:maven:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "maven-wrapper", "version": "3.1.0", "type": "java-archive", "locations": [ { "path": ".mvn/wrapper/maven-wrapper.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:apache-software-foundation:maven-wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache-software-foundation:maven_wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache_software_foundation:maven-wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache_software_foundation:maven_wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache-software-foundation:wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache_software_foundation:wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache-software-foundation:maven:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache_software_foundation:maven:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:maven-wrapper:maven-wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:maven-wrapper:maven_wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:maven_wrapper:maven-wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:maven_wrapper:maven_wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:maven-wrapper:wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:maven_wrapper:wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:wrapper:maven-wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:wrapper:maven_wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:maven-wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:maven_wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:maven-wrapper:maven:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:maven:maven-wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:maven:maven_wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:maven_wrapper:maven:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:wrapper:wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:maven:wrapper:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:wrapper:maven:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:maven:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:maven:maven:3.1.0:*:*:*:*:*:*:*" ], "purl": "pkg:maven/org.apache.maven.wrapper/maven-wrapper@3.1.0", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": ".mvn/wrapper/maven-wrapper.jar", "pomArtifactID": "maven-wrapper", "pomGroupID": "org.apache.maven.wrapper", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "32f70e9f2cd92fd7629aba8214d1c9ae58a1e2fd" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2021-26291" } ] }, { "vulnerability": { "id": "CVE-2021-37136", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E", "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://security.netapp.com/advisory/ntap-20220210-0012/", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://www.oracle.com/security-alerts/cpujul2022.html" ], "description": "The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": { "baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.68 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-core", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-core/reactor-netty-core@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-core-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "feaecb39237170aafb23935e9b383e8dda281379" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2021-37136" } ] }, { "vulnerability": { "id": "CVE-2021-37136", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E", "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://security.netapp.com/advisory/ntap-20220210-0012/", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://www.oracle.com/security-alerts/cpujul2022.html" ], "description": "The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": { "baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.68 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-http", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-http/reactor-netty-http@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-http-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "2fac480a17f752335318f103ab91427bdfb7716a" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2021-37136" } ] }, { "vulnerability": { "id": "CVE-2021-37137", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363", "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E", "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://security.netapp.com/advisory/ntap-20220210-0012/", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://www.oracle.com/security-alerts/cpujul2022.html" ], "description": "The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": { "baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.68 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-core", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-core/reactor-netty-core@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-core-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "feaecb39237170aafb23935e9b383e8dda281379" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2021-37137" } ] }, { "vulnerability": { "id": "CVE-2021-37137", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363", "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E", "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E", "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://security.netapp.com/advisory/ntap-20220210-0012/", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://www.oracle.com/security-alerts/cpujul2022.html" ], "description": "The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": { "baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.68 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-http", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-http/reactor-netty-http@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-http-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "2fac480a17f752335318f103ab91427bdfb7716a" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2021-37137" } ] }, { "vulnerability": { "id": "CVE-2021-43797", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq", "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", "https://security.netapp.com/advisory/ntap-20220107-0003/", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://www.oracle.com/security-alerts/cpujul2022.html" ], "description": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "metrics": { "baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "metrics": { "baseScore": 6.5, "exploitabilityScore": 2.8, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.71 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-core", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-core/reactor-netty-core@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-core-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "feaecb39237170aafb23935e9b383e8dda281379" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2021-43797" } ] }, { "vulnerability": { "id": "CVE-2021-43797", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq", "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", "https://security.netapp.com/advisory/ntap-20220107-0003/", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://www.oracle.com/security-alerts/cpujul2022.html" ], "description": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "metrics": { "baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "metrics": { "baseScore": 6.5, "exploitabilityScore": 2.8, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.71 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-http", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-http/reactor-netty-http@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-http-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "2fac480a17f752335318f103ab91427bdfb7716a" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2021-43797" } ] }, { "vulnerability": { "id": "CVE-2022-24823", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-24823", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ "https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1", "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2", "https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q", "https://security.netapp.com/advisory/ntap-20220616-0004/", "https://www.oracle.com/security-alerts/cpujul2022.html" ], "description": "Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.", "cvss": [ { "version": "2.0", "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "metrics": { "baseScore": 1.9, "exploitabilityScore": 3.4, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "metrics": { "baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.77 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-core", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_core:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_core:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-core/reactor-netty-core@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-core-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "feaecb39237170aafb23935e9b383e8dda281379" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2022-24823" } ] }, { "vulnerability": { "id": "CVE-2022-24823", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-24823", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ "https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1", "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2", "https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q", "https://security.netapp.com/advisory/ntap-20220616-0004/", "https://www.oracle.com/security-alerts/cpujul2022.html" ], "description": "Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.", "cvss": [ { "version": "2.0", "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "metrics": { "baseScore": 1.9, "exploitabilityScore": 3.4, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "metrics": { "baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 4.1.77 (unknown)", "cpes": [ "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "reactor-netty-http", "version": "1.0.24", "type": "java-archive", "locations": [ { "path": "target/appconfigdemo-0.0.1-SNAPSHOT.jar" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:reactor-netty-http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor-netty-http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:reactor_netty_http:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty-http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty_http:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:projectreactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor-netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor_netty:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:reactor:netty:1.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:netty:netty:1.0.24:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.projectreactor.netty.reactor-netty-http/reactor-netty-http@1.0.24", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "target/appconfigdemo-0.0.1-SNAPSHOT.jar:BOOT-INF/lib/reactor-netty-http-1.0.24.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "2fac480a17f752335318f103ab91427bdfb7716a" } ] } }, "appliedIgnoreRules": [ { "vulnerability": "CVE-2022-24823" } ] } ], "source": { "type": "directory", "target": "appconfigdemo" }, "distro": { "name": "", "version": "", "idLike": null }, "descriptor": { "name": "grype", "version": "0.53.0", "configuration": { "configPath": "/workspaces/appconfiguration-sample/.grype.yaml", "output": "json", "file": "output.json", "distro": "", "add-cpes-if-none": false, "output-template-file": "", "quiet": false, "check-for-app-update": true, "only-fixed": false, "only-notfixed": false, "platform": "", "search": { "scope": "Squashed", "unindexed-archives": false, "indexed-archives": true }, "ignore": [ { "vulnerability": "CVE-2021-26291", "namespace": "", "fix-state": "", "package": { "name": "", "version": "", "language": "", "type": "", "location": "" } }, { "vulnerability": "CVE-2019-20444", "namespace": "", "fix-state": "", "package": { "name": "", "version": "", "language": "", "type": "", "location": "" } }, { "vulnerability": "CVE-2019-20445", "namespace": "", "fix-state": "", "package": { "name": "", "version": "", "language": "", "type": "", "location": "" } }, { "vulnerability": "CVE-2015-2156", "namespace": "", "fix-state": "", "package": { "name": "", "version": "", "language": "", "type": "", "location": "" } }, { "vulnerability": "CVE-2019-16869", "namespace": "", "fix-state": "", "package": { "name": "", "version": "", "language": "", "type": "", "location": "" } }, { "vulnerability": "CVE-2021-37136", "namespace": "", "fix-state": "", "package": { "name": "", "version": "", "language": "", "type": "", "location": "" } }, { "vulnerability": "CVE-2021-37137", "namespace": "", "fix-state": "", "package": { "name": "", "version": "", "language": "", "type": "", "location": "" } }, { "vulnerability": "CVE-2014-3488", "namespace": "", "fix-state": "", "package": { "name": "", "version": "", "language": "", "type": "", "location": "" } }, { "vulnerability": "CVE-2021-21290", "namespace": "", "fix-state": "", "package": { "name": "", "version": "", "language": "", "type": "", "location": "" } }, { "vulnerability": "CVE-2021-21295", "namespace": "", "fix-state": "", "package": { "name": "", "version": "", "language": "", "type": "", "location": "" } }, { "vulnerability": "CVE-2021-21409", "namespace": "", "fix-state": "", "package": { "name": "", "version": "", "language": "", "type": "", "location": "" } }, { "vulnerability": "CVE-2021-43797", "namespace": "", "fix-state": "", "package": { "name": "", "version": "", "language": "", "type": "", "location": "" } }, { "vulnerability": "CVE-2022-24823", "namespace": "", "fix-state": "", "package": { "name": "", "version": "", "language": "", "type": "", "location": "" } }, { "vulnerability": "CVE-2016-1000027", "namespace": "", "fix-state": "", "package": { "name": "", "version": "", "language": "", "type": "", "location": "" } } ], "exclude": [], "db": { "cache-dir": "/home/vscode/.cache/grype/db", "update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json", "ca-cert": "", "auto-update": true, "validate-by-hash-on-start": false, "validate-age": true, "max-allowed-built-age": 432000000000000 }, "externalSources": { "enable": false, "maven": { "searchUpstreamBySha1": true, "baseUrl": "https://search.maven.org/solrsearch/select" } }, "match": { "java": { "using-cpes": true }, "dotnet": { "using-cpes": true }, "golang": { "using-cpes": true }, "javascript": { "using-cpes": true }, "python": { "using-cpes": true }, "ruby": { "using-cpes": true }, "stock": { "using-cpes": true } }, "dev": { "profile-cpu": false, "profile-mem": false }, "fail-on-severity": "", "registry": { "insecure-skip-tls-verify": false, "insecure-use-http": false, "auth": [] }, "log": { "structured": false, "level": "", "file": "" }, "attestation": { "public-key": "", "skip-verification": false }, "show-suppressed": false }, "db": { "built": "2022-11-21T08:18:37Z", "schemaVersion": 5, "location": "/home/vscode/.cache/grype/db/5", "checksum": "sha256:f943368b57a2762307f6423db54606b42667c3ddf9390451db1f03297a5eca17", "error": null } } }