[ATLAS-4853] Upgrade Netty to 4.1.108.Final due to CVE-2024-29025 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Patch Available
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: atlas-core
Labels:
None

Description

Upgrade Netty to 4.1.108.Final due to CVE-2024-29025

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.
https://nvd.nist.gov/vuln/detail/CVE-2024-29025
https://github.com/advisories/GHSA-5jpm-x58v-624v
https://ossindex.sonatype.org/vulnerability/CVE-2024-29025

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

ATLAS-4853.patch
23/Apr/24 16:57
0.9 kB
Disha Talreja

Activity

People

Assignee:: Disha Talreja

Reporter:: Disha Talreja

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 22/Apr/24 23:15

Updated:: 23/Apr/24 16:57