Opentok-Java-SDK icon indicating copy to clipboard operation
Opentok-Java-SDK copied to clipboard

Published 20 hours ago verified publisher icon opentok

netty-handler-4.1.116.Final.jar: 2 vulnerabilities (highest severity is: 7.5)

Open mend-for-github-com[bot] opened this issue 9 months ago • 0 comments
trafficstars

Vulnerable Library - netty-handler-4.1.116.Final.jar

Library home page: https://netty.io/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.116.Final/eaef854ef33f3fd3d0ecf927690d8112c710bc05/netty-handler-4.1.116.Final.jar

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (netty-handler version) Remediation Possible** Reachability
CVE-2025-24970 High 7.5 Not Defined 0.0% netty-handler-4.1.116.Final.jar Direct 4.1.118.Final
CVE-2025-25193 Medium 5.5 Not Defined 0.0% netty-common-4.1.116.Final.jar Transitive 4.1.118.Final

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-24970

Vulnerable Library - netty-handler-4.1.116.Final.jar

Library home page: https://netty.io/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.116.Final/eaef854ef33f3fd3d0ecf927690d8112c710bc05/netty-handler-4.1.116.Final.jar

Dependency Hierarchy:

  • :x: netty-handler-4.1.116.Final.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

Publish Date: 2025-02-10

URL: CVE-2025-24970

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-4g8c-wm8x-jfhw

Release Date: 2025-02-10

Fix Resolution: 4.1.118.Final

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2025-25193

Vulnerable Library - netty-common-4.1.116.Final.jar

Library home page: https://netty.io/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.116.Final/6871f95af2bc3a98fda34a580baf6cac8cbc2944/netty-common-4.1.116.Final.jar

Dependency Hierarchy:

  • netty-handler-4.1.116.Final.jar (Root Library)
    • :x: netty-common-4.1.116.Final.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

Publish Date: 2025-02-10

URL: CVE-2025-25193

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx

Release Date: 2025-02-10

Fix Resolution (io.netty:netty-common): 4.1.118.Final

Direct dependency fix Resolution (io.netty:netty-handler): 4.1.118.Final

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] avatar Feb 11 '25 12:02 mend-for-github-com[bot]