transport-5.6.4.jar: 4 vulnerabilities (highest severity is: 9.8) reachable

[mend-local-app]

Vulnerable Library - transport-5.6.4.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /Users/alexmaybaum/.m2/repository/io/netty/netty-codec-http/4.1.13.Final/netty-codec-http-4.1.13.Final.jar

Found in HEAD commit: d9961a50d4e1866631ab3050249381b0088bbbc6

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (transport version)	Remediation Possible**	Reachability
CVE-2020-11612	High	9.8	netty-codec-4.1.13.Final.jar	Transitive	N/A*	❌	Reachable
CVE-2019-20445	High	9.1	netty-codec-http-4.1.13.Final.jar	Transitive	N/A*	❌	Reachable
CVE-2019-20444	High	9.1	netty-codec-http-4.1.13.Final.jar	Transitive	N/A*	❌	Reachable
CVE-2020-7238	High	7.5	netty-codec-http-4.1.13.Final.jar	Transitive	N/A*	❌	Reachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-11612

Vulnerable Library - netty-codec-4.1.13.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /Users/alexmaybaum/.m2/repository/io/netty/netty-codec/4.1.13.Final/netty-codec-4.1.13.Final.jar

Dependency Hierarchy:

• transport-5.6.4.jar (Root Library)
  • transport-netty4-client-5.6.4.jar
    • ❌ netty-codec-4.1.13.Final.jar (Vulnerable Library)

Found in HEAD commit: d9961a50d4e1866631ab3050249381b0088bbbc6

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.utils.ElasticsearchUtil (Application)
  -> org.elasticsearch.transport.client.PreBuiltTransportClient (Extension)
   -> org.elasticsearch.transport.Netty4Plugin (Extension)
    -> org.elasticsearch.http.netty4.Netty4HttpServerTransport (Extension)
    ...
      -> io.netty.handler.codec.http.HttpContentDecompressor (Extension)
       -> io.netty.handler.codec.compression.ZlibCodecFactory (Extension)
        -> ❌ io.netty.handler.codec.compression.JZlibDecoder (Vulnerable Component)

Vulnerability Details

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

Publish Date: 2020-04-07

URL: CVE-2020-11612

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://netty.io/news/2020/02/28/4-1-46-Final.html

Release Date: 2020-04-07

Fix Resolution: io.netty:netty-codec:4.1.46.Final;io.netty:netty-all:4.1.46.Final

CVE-2019-20445

Vulnerable Library - netty-codec-http-4.1.13.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /Users/alexmaybaum/.m2/repository/io/netty/netty-codec-http/4.1.13.Final/netty-codec-http-4.1.13.Final.jar

Dependency Hierarchy:

• transport-5.6.4.jar (Root Library)
  • transport-netty4-client-5.6.4.jar
    • ❌ netty-codec-http-4.1.13.Final.jar (Vulnerable Library)

Found in HEAD commit: d9961a50d4e1866631ab3050249381b0088bbbc6

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.utils.ElasticsearchUtil (Application)
  -> org.elasticsearch.transport.client.PreBuiltTransportClient (Extension)
   -> org.elasticsearch.transport.Netty4Plugin (Extension)
    -> org.elasticsearch.http.netty4.Netty4HttpServerTransport (Extension)
     -> org.elasticsearch.http.netty4.Netty4HttpServerTransport$HttpChannelHandler (Extension)
      -> io.netty.handler.codec.http.HttpRequestDecoder (Extension)
       -> ❌ io.netty.handler.codec.http.HttpObjectDecoder (Vulnerable Component)

Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

Publish Date: 2020-01-29

URL: CVE-2019-20445

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445

Release Date: 2020-01-29

Fix Resolution: io.netty:netty-codec-http:4.1.44

CVE-2019-20444

Vulnerable Library - netty-codec-http-4.1.13.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /Users/alexmaybaum/.m2/repository/io/netty/netty-codec-http/4.1.13.Final/netty-codec-http-4.1.13.Final.jar

Dependency Hierarchy:

• transport-5.6.4.jar (Root Library)
  • transport-netty4-client-5.6.4.jar
    • ❌ netty-codec-http-4.1.13.Final.jar (Vulnerable Library)

Found in HEAD commit: d9961a50d4e1866631ab3050249381b0088bbbc6

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.utils.ElasticsearchUtil (Application)
  -> org.elasticsearch.transport.client.PreBuiltTransportClient (Extension)
   -> org.elasticsearch.transport.Netty4Plugin (Extension)
    -> org.elasticsearch.http.netty4.Netty4HttpServerTransport (Extension)
     -> org.elasticsearch.http.netty4.Netty4HttpServerTransport$HttpChannelHandler (Extension)
      -> io.netty.handler.codec.http.HttpRequestDecoder (Extension)
       -> ❌ io.netty.handler.codec.http.HttpObjectDecoder (Vulnerable Component)

Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

Publish Date: 2020-01-29

URL: CVE-2019-20444

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444

Release Date: 2020-01-29

Fix Resolution: io.netty:netty-codec-http:4.1.44

CVE-2020-7238

Vulnerable Library - netty-codec-http-4.1.13.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /Users/alexmaybaum/.m2/repository/io/netty/netty-codec-http/4.1.13.Final/netty-codec-http-4.1.13.Final.jar

Dependency Hierarchy:

• transport-5.6.4.jar (Root Library)
  • transport-netty4-client-5.6.4.jar
    • ❌ netty-codec-http-4.1.13.Final.jar (Vulnerable Library)

Found in HEAD commit: d9961a50d4e1866631ab3050249381b0088bbbc6

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.utils.ElasticsearchUtil (Application)
  -> org.elasticsearch.transport.client.PreBuiltTransportClient (Extension)
   -> org.elasticsearch.transport.Netty4Plugin (Extension)
    -> org.elasticsearch.http.netty4.Netty4HttpServerTransport (Extension)
     -> org.elasticsearch.http.netty4.Netty4HttpServerTransport$HttpChannelHandler (Extension)
      -> io.netty.handler.codec.http.HttpRequestDecoder (Extension)
       -> ❌ io.netty.handler.codec.http.HttpObjectDecoder (Vulnerable Component)

Vulnerability Details

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

Publish Date: 2020-01-27

URL: CVE-2020-7238

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-27

Fix Resolution: io.netty:netty-all:4.1.44.Final;io.netty:netty-codec-http:4.1.44.Final