GHSA-Q4H9-7RXJ-7GX2

Vulnerability from github – Published: 2024-12-02 20:03 – Updated: 2025-01-16 14:36
VLAI
Summary
Withdrawn Advisory: Netty vulnerability included in redis lettuce
Details

Withdrawn Advisory

This advisory has been withdrawn because users of Lettuce may independently exclude vulnerable versions of Netty from their dependencies, and those users should not receive alerts for CVE-2024-47535. This link is maintained to preserve external references.

Original Description

Summary

Note: i'm reporting this in this way purely because it's private and i don't want to broadcast vulnerabilities.

An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

Details

https://github.com/redis/lettuce/blob/main/pom.xml#L67C9-L67C53 The netty version pinned here is currently

<netty.version>4.1.113.Final</netty.version>

This version is vulnerable according to Snyk and is affecting one of our products: image

Here is a link to the CVE

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability. Not applicable

Impact

What kind of vulnerability is it? Who is impacted? Denial of Service, affecting Windows users.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.lettuce:lettuce-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.5.1.RELEASE"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T20:03:03Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# Withdrawn Advisory\nThis advisory has been withdrawn because users of Lettuce may independently exclude vulnerable versions of Netty from their dependencies, and those users should not receive alerts for CVE-2024-47535. This link is maintained to preserve external references.\n\n# Original Description\n\n### Summary\nNote: i\u0027m reporting this in this way purely because it\u0027s private and i don\u0027t want to broadcast vulnerabilities.\n\n\u003e An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.\n\n### Details\nhttps://github.com/redis/lettuce/blob/main/pom.xml#L67C9-L67C53 The netty version pinned here is currently \n```\n\u003cnetty.version\u003e4.1.113.Final\u003c/netty.version\u003e\n```\nThis version is vulnerable according to Snyk and is affecting one of our products:\n![image](https://github.com/user-attachments/assets/a7c78c24-f1e3-4f29-bc49-b252d330002a)\n\nHere is a [link](https://www.cve.org/CVERecord?id=CVE-2024-47535) to the CVE\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\nNot applicable\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\nDenial of Service, affecting Windows users. ",
  "id": "GHSA-q4h9-7rxj-7gx2",
  "modified": "2025-01-16T14:36:55Z",
  "published": "2024-12-02T20:03:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/redis/lettuce/security/advisories/GHSA-q4h9-7rxj-7gx2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47535"
    },
    {
      "type": "WEB",
      "url": "https://github.com/redis/lettuce/issues/3093"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/redis/lettuce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Withdrawn Advisory: Netty vulnerability included in redis lettuce",
  "withdrawn": "2025-01-16T14:36:55Z"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…