Vulnerability-Lookup

RHSA-2026:7109

Vulnerability from csaf_redhat - Published: 2026-04-14 17:18 - Updated: 2026-04-15 02:27

Summary

Red Hat Security Advisory: Red Hat build of Quarkus 3.20.6 release and security update

Severity

Important

Notes

Topic: An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

Details: This release of Red Hat build of Quarkus 3.20.6 includes the following CVE fixes: * netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values [quarkus-3.20] (CVE-2026-33870) * netty-codec-http2: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood [quarkus-3.20] (CVE-2026-33871) * plexus-utils: Plexus-utils: Directory Traversal in extractFile method [quarkus-3.20] (CVE-2025-67030) * avro: Apache Avro Java SDK: Code injection on Java generated code [quarkus-3.20] (CVE-2025-33042) * vertx-core: static handler component cache can be manipulated to deny the access to static files [quarkus-3.20] (CVE-2026-1002) For more information, see the release notes page listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2025-33042

A code injection flaw has been discovered in Apache Avro. This vulnerability manifests when generating specific records from untrusted Avro schemas.

5.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2026:7109

Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

CVE-2025-67030

A flaw was found in plexus-utils. This vulnerability, known as a Directory Traversal, exists within the `extractFile` method. An attacker can exploit this to execute unauthorized code on the system in the context of the current working user.

8.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2026-1002

A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Workaround To mitigate this vulnerability, consider disabling the static handler cache by configuring the StaticHandler instance with setCachingEnabled(false), for example: ~~~ StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false); ~~~

CVE-2026-33870

A flaw was found in Netty. A remote attacker could exploit this vulnerability by sending specially crafted HTTP/1.1 chunked transfer encoding extension values. Due to incorrect parsing of quoted strings, this flaw enables request smuggling attacks, potentially allowing an attacker to bypass security controls or access unauthorized information.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CVE-2026-33871

A flaw was found in Netty. A remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on these frames, coupled with a bypass of size-based mitigations using zero-byte frames, allows an attacker to consume excessive CPU resources. This can render the server unresponsive with minimal bandwidth usage.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

References

URL

Category

	https://access.redhat.com/errata/RHSA-2026:7109	self
	https://access.redhat.com/security/updates/classi…	external
	https://access.redhat.com/products/quarkus/	external
	https://access.redhat.com/jbossnetwork/restricted…	external
	https://docs.redhat.com/en/documentation/red_hat_…	external
	https://issues.redhat.com/browse/QUARKUS-6878	external
	https://issues.redhat.com/browse/QUARKUS-7203	external
	https://issues.redhat.com/browse/QUARKUS-7204	external
	https://issues.redhat.com/browse/QUARKUS-7206	external
	https://issues.redhat.com/browse/QUARKUS-7207	external
	https://issues.redhat.com/browse/QUARKUS-7322	external
	https://issues.redhat.com/browse/QUARKUS-7323	external
	https://issues.redhat.com/browse/QUARKUS-7324	external
	https://issues.redhat.com/browse/QUARKUS-7325	external
	https://issues.redhat.com/browse/QUARKUS-7326	external
	https://issues.redhat.com/browse/QUARKUS-7327	external
	https://issues.redhat.com/browse/QUARKUS-7328	external
	https://issues.redhat.com/browse/QUARKUS-7329	external
	https://issues.redhat.com/browse/QUARKUS-7330	external
	https://issues.redhat.com/browse/QUARKUS-7331	external
	https://issues.redhat.com/browse/QUARKUS-7347	external
	https://issues.redhat.com/browse/QUARKUS-7379	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2025-33042	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2439675	external
	https://www.cve.org/CVERecord?id=CVE-2025-33042	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-33042	external
	https://github.com/apache/avro/commit/84bc7322ca1…	external
	https://issues.apache.org/jira/browse/AVRO-4053	external
	https://lists.apache.org/thread/fy88wmgf1lj9479vr…	external
	https://www.openwall.com/lists/oss-security/2026/…	external
	https://access.redhat.com/security/cve/CVE-2025-67030	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2451409	external
	https://www.cve.org/CVERecord?id=CVE-2025-67030	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-67030	external
	https://gist.github.com/weaver4VD/3216dac645220f8…	external
	https://github.com/codehaus-plexus/plexus-utils/c…	external
	https://github.com/codehaus-plexus/plexus-utils/i…	external
	https://github.com/codehaus-plexus/plexus-utils/p…	external
	https://github.com/codehaus-plexus/plexus-utils/p…	external
	https://access.redhat.com/security/cve/CVE-2026-1002	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2430180	external
	https://www.cve.org/CVERecord?id=CVE-2026-1002	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-1002	external
	https://github.com/eclipse-vertx/vert.x/pull/5895	external
	https://access.redhat.com/security/cve/CVE-2026-33870	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2452453	external
	https://www.cve.org/CVERecord?id=CVE-2026-33870	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-33870	external
	https://github.com/netty/netty/security/advisorie…	external
	https://w4ke.info/2025/06/18/funky-chunks.html	external
	https://w4ke.info/2025/10/29/funky-chunks-2.html	external
	https://www.rfc-editor.org/rfc/rfc9110	external
	https://access.redhat.com/security/cve/CVE-2026-33871	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2452456	external
	https://www.cve.org/CVERecord?id=CVE-2026-33871	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-33871	external
	https://github.com/netty/netty/security/advisorie…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This release of Red Hat build of Quarkus 3.20.6 includes the following CVE fixes:\n\n* netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values [quarkus-3.20] (CVE-2026-33870)\n\n* netty-codec-http2: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood [quarkus-3.20] (CVE-2026-33871)\n\n* plexus-utils: Plexus-utils: Directory Traversal in extractFile method [quarkus-3.20] (CVE-2025-67030)\n\n* avro: Apache Avro Java SDK: Code injection on Java generated code [quarkus-3.20] (CVE-2025-33042)\n\n* vertx-core: static handler component cache can be manipulated to deny the access to static files [quarkus-3.20] (CVE-2026-1002)\n\nFor more information, see the release notes page listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:7109",
        "url": "https://access.redhat.com/errata/RHSA-2026:7109"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/products/quarkus/",
        "url": "https://access.redhat.com/products/quarkus/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.20.6",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.20.6"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.20",
        "url": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.20"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6878",
        "url": "https://issues.redhat.com/browse/QUARKUS-6878"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7203",
        "url": "https://issues.redhat.com/browse/QUARKUS-7203"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7204",
        "url": "https://issues.redhat.com/browse/QUARKUS-7204"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7206",
        "url": "https://issues.redhat.com/browse/QUARKUS-7206"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7207",
        "url": "https://issues.redhat.com/browse/QUARKUS-7207"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7322",
        "url": "https://issues.redhat.com/browse/QUARKUS-7322"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7323",
        "url": "https://issues.redhat.com/browse/QUARKUS-7323"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7324",
        "url": "https://issues.redhat.com/browse/QUARKUS-7324"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7325",
        "url": "https://issues.redhat.com/browse/QUARKUS-7325"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7326",
        "url": "https://issues.redhat.com/browse/QUARKUS-7326"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7327",
        "url": "https://issues.redhat.com/browse/QUARKUS-7327"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7328",
        "url": "https://issues.redhat.com/browse/QUARKUS-7328"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7329",
        "url": "https://issues.redhat.com/browse/QUARKUS-7329"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7330",
        "url": "https://issues.redhat.com/browse/QUARKUS-7330"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7331",
        "url": "https://issues.redhat.com/browse/QUARKUS-7331"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7347",
        "url": "https://issues.redhat.com/browse/QUARKUS-7347"
      },
      {
        "category": "external",
        "summary": "QUARKUS-7379",
        "url": "https://issues.redhat.com/browse/QUARKUS-7379"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7109.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.20.6 release and security update",
    "tracking": {
      "current_release_date": "2026-04-15T02:27:26+00:00",
      "generator": {
        "date": "2026-04-15T02:27:26+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.5"
        }
      },
      "id": "RHSA-2026:7109",
      "initial_release_date": "2026-04-14T17:18:52+00:00",
      "revision_history": [
        {
          "date": "2026-04-14T17:18:52+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-04-14T17:18:52+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-04-15T02:27:26+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat build of Quarkus 3.20.6",
                "product": {
                  "name": "Red Hat build of Quarkus 3.20.6",
                  "product_id": "Red Hat build of Quarkus 3.20.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:quarkus:3.20::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat build of Quarkus"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-33042",
      "cwe": {
        "id": "CWE-94",
        "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
      },
      "discovery_date": "2026-02-13T12:00:45.349337+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2439675"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A code injection flaw has been discovered in Apache Avro. This vulnerability manifests when generating specific records from untrusted Avro schemas.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.apache.avro/avro: Apache Avro Java SDK: Code injection on Java generated code",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Quarkus 3.20.6"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-33042"
        },
        {
          "category": "external",
          "summary": "RHBZ#2439675",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439675"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-33042",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-33042"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-33042",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33042"
        },
        {
          "category": "external",
          "summary": "https://github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4",
          "url": "https://github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4"
        },
        {
          "category": "external",
          "summary": "https://issues.apache.org/jira/browse/AVRO-4053",
          "url": "https://issues.apache.org/jira/browse/AVRO-4053"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1",
          "url": "https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1"
        },
        {
          "category": "external",
          "summary": "https://www.openwall.com/lists/oss-security/2026/02/12/2",
          "url": "https://www.openwall.com/lists/oss-security/2026/02/12/2"
        }
      ],
      "release_date": "2026-02-13T11:47:03.783000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-14T17:18:52+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Quarkus 3.20.6"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:7109"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat build of Quarkus 3.20.6"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Quarkus 3.20.6"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.apache.avro/avro: Apache Avro Java SDK: Code injection on Java generated code"
    },
    {
      "cve": "CVE-2025-67030",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2026-03-25T18:02:00.463244+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2451409"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in plexus-utils. This vulnerability, known as a Directory Traversal, exists within the `extractFile` method. An attacker can exploit this to execute unauthorized code on the system in the context of the current working user.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.codehaus.plexus:plexus-utils: Plexus-utils: Directory Traversal in extractFile method",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Quarkus 3.20.6"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-67030"
        },
        {
          "category": "external",
          "summary": "RHBZ#2451409",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451409"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-67030",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-67030"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-67030",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67030"
        },
        {
          "category": "external",
          "summary": "https://gist.github.com/weaver4VD/3216dac645220f8c9b488362f61241ec",
          "url": "https://gist.github.com/weaver4VD/3216dac645220f8c9b488362f61241ec"
        },
        {
          "category": "external",
          "summary": "https://github.com/codehaus-plexus/plexus-utils/commit/6d780b3378829318ba5c2d29547e0012d5b29642",
          "url": "https://github.com/codehaus-plexus/plexus-utils/commit/6d780b3378829318ba5c2d29547e0012d5b29642"
        },
        {
          "category": "external",
          "summary": "https://github.com/codehaus-plexus/plexus-utils/issues/294",
          "url": "https://github.com/codehaus-plexus/plexus-utils/issues/294"
        },
        {
          "category": "external",
          "summary": "https://github.com/codehaus-plexus/plexus-utils/pull/295",
          "url": "https://github.com/codehaus-plexus/plexus-utils/pull/295"
        },
        {
          "category": "external",
          "summary": "https://github.com/codehaus-plexus/plexus-utils/pull/296",
          "url": "https://github.com/codehaus-plexus/plexus-utils/pull/296"
        }
      ],
      "release_date": "2026-03-25T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-14T17:18:52+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Quarkus 3.20.6"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:7109"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat build of Quarkus 3.20.6"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Quarkus 3.20.6"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "org.codehaus.plexus:plexus-utils: Plexus-utils: Directory Traversal in extractFile method"
    },
    {
      "cve": "CVE-2026-1002",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2026-01-15T21:03:20.088599+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2430180"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability allows a remote attacker to block access to specific static files, such as images, CSS or HTML files. However, the underlying Vert.x server, the API endpoints and other non-cached resources are not affected. Due to this reason, this issue has been rated with a moderate severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Quarkus 3.20.6"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-1002"
        },
        {
          "category": "external",
          "summary": "RHBZ#2430180",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430180"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-1002",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-1002"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1002",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1002"
        },
        {
          "category": "external",
          "summary": "https://github.com/eclipse-vertx/vert.x/pull/5895",
          "url": "https://github.com/eclipse-vertx/vert.x/pull/5895"
        }
      ],
      "release_date": "2026-01-15T20:50:25.642000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-14T17:18:52+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Quarkus 3.20.6"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:7109"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, consider disabling the static handler cache by configuring the StaticHandler instance with setCachingEnabled(false), for example:\n\n~~~\nStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);\n~~~",
          "product_ids": [
            "Red Hat build of Quarkus 3.20.6"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Quarkus 3.20.6"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files"
    },
    {
      "cve": "CVE-2026-33870",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2026-03-27T21:01:59.865839+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2452453"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty. A remote attacker could exploit this vulnerability by sending specially crafted HTTP/1.1 chunked transfer encoding extension values. Due to incorrect parsing of quoted strings, this flaw enables request smuggling attacks, potentially allowing an attacker to bypass security controls or access unauthorized information.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Quarkus 3.20.6"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33870"
        },
        {
          "category": "external",
          "summary": "RHBZ#2452453",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452453"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33870",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33870"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33870",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33870"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8"
        },
        {
          "category": "external",
          "summary": "https://w4ke.info/2025/06/18/funky-chunks.html",
          "url": "https://w4ke.info/2025/06/18/funky-chunks.html"
        },
        {
          "category": "external",
          "summary": "https://w4ke.info/2025/10/29/funky-chunks-2.html",
          "url": "https://w4ke.info/2025/10/29/funky-chunks-2.html"
        },
        {
          "category": "external",
          "summary": "https://www.rfc-editor.org/rfc/rfc9110",
          "url": "https://www.rfc-editor.org/rfc/rfc9110"
        }
      ],
      "release_date": "2026-03-27T19:54:15.586000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-14T17:18:52+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Quarkus 3.20.6"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:7109"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat build of Quarkus 3.20.6"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Quarkus 3.20.6"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values"
    },
    {
      "cve": "CVE-2026-33871",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-03-27T21:02:13.396015+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2452456"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty. A remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server\u0027s lack of a limit on these frames, coupled with a bypass of size-based mitigations using zero-byte frames, allows an attacker to consume excessive CPU resources. This can render the server unresponsive with minimal bandwidth usage.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This important vulnerability in Netty HTTP/2 servers allows a remote attacker to cause a Denial of Service by sending a flood of CONTINUATION frames. This can lead to excessive CPU consumption and render the server unresponsive. Red Hat products utilizing affected Netty versions, such as Red Hat AMQ, Enterprise Application Platform, and OpenShift Container Platform components, are impacted if configured to use HTTP/2.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Quarkus 3.20.6"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33871"
        },
        {
          "category": "external",
          "summary": "RHBZ#2452456",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452456"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33871",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33871"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33871",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33871"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv"
        }
      ],
      "release_date": "2026-03-27T19:55:23.135000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-14T17:18:52+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Quarkus 3.20.6"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:7109"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Quarkus 3.20.6"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood"
    }
  ]
}

CVE-2026-1002 (GCVE-0-2026-1002)

Vulnerability from cvelistv5 – Published: 2026-01-15 20:50 – Updated: 2026-01-15 21:09

Title

Eclipse Vert.x Web static handler file access denial

Summary

The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

CWE

CWE-444

Assigner

eclipse

References

URL

Tags

https://github.com/eclipse-vertx/vert.x/pull/5895

patch

Impacted products

	Vendor	Product	Version
	Eclipse Vert.x	Eclipse Vert.x	Affected: 4.0.0 , ≤ 4.5.23 (semver) Affected: 5.0.0 , ≤ 5.0.6 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1002",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-15T21:07:25.597990Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-15T21:09:22.172Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/vert-x3/vertx-web/issues/2836"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "io.vertx",
          "product": "Eclipse Vert.x",
          "repo": "https://github.com/eclipse-vertx/vert.x",
          "vendor": "Eclipse Vert.x",
          "versions": [
            {
              "lessThanOrEqual": "4.5.23",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.0.6",
              "status": "affected",
              "version": "5.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.\u003c/p\u003e\n\u003cp\u003eThe issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/eclipse-vertx/vert.x/pull/5895\"\u003ehttps://github.com/eclipse-vertx/vert.x/pull/5895\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003e\n\u003ca target=\"_blank\" rel=\"nofollow\"\u003e\u003c/a\u003e\u003c/h2\u003e\u003ch2\u003eSteps to reproduce\u003c/h2\u003e\n\u003cp\u003eGiven a file served by the static handler, craft an URI that introduces a string like \u003ccode\u003ebar%2F..%2F\u003c/code\u003e after the last \u003ccode\u003e/\u003c/code\u003e char to deny the access to the URI with an HTTP 404 response. For example \u003ccode\u003ehttps://example.com/foo/index.html\u003c/code\u003e can be denied with \u003ccode\u003ehttps://example.com/foo/bar%2F..%2Findex.html\u003c/code\u003e\u003c/p\u003e\u003ch2\u003eMitgation\u003c/h2\u003e\n\u003cp\u003eDisabling Static Handler cache fixes the issue.\u003c/p\u003e\n\u003cdiv\u003e\n\u003cpre\u003e\u003ccode\u003eStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.\n\n\nThe issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web):  https://github.com/eclipse-vertx/vert.x/pull/5895 \n\n\n\nSteps to reproduce\nGiven a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html\n\nMitgation\nDisabling Static Handler cache fixes the issue.\n\n\n\nStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-153",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-153 Input Data Manipulation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-15T20:50:25.642Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/eclipse-vertx/vert.x/pull/5895"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Eclipse Vert.x Web static handler file access denial",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2026-1002",
    "datePublished": "2026-01-15T20:50:25.642Z",
    "dateReserved": "2026-01-15T18:23:48.276Z",
    "dateUpdated": "2026-01-15T21:09:22.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33871 (GCVE-0-2026-33871)

Vulnerability from cvelistv5 – Published: 2026-03-27 19:55 – Updated: 2026-03-31 18:54

Title

Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass

Summary

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

URL

Tags

https://github.com/netty/netty/security/advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	netty	netty	Affected: < 4.1.132.Final Affected: >= 4.2.0.Alpha1, < 4.2.10.Final

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33871",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T18:51:31.168118Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T18:54:19.771Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.1.132.Final"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.10.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server\u0027s lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T19:55:23.135Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv"
        }
      ],
      "source": {
        "advisory": "GHSA-w9fj-cfpg-grvv",
        "discovery": "UNKNOWN"
      },
      "title": "Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33871",
    "datePublished": "2026-03-27T19:55:23.135Z",
    "dateReserved": "2026-03-24T15:10:05.679Z",
    "dateUpdated": "2026-03-31T18:54:19.771Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-67030 (GCVE-0-2025-67030)

Vulnerability from cvelistv5 – Published: 2026-03-25 00:00 – Updated: 2026-03-27 19:34

Summary

Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/codehaus-plexus/plexus-utils/p…
	https://github.com/codehaus-plexus/plexus-utils/i…
	https://github.com/codehaus-plexus/plexus-utils/c…
	https://github.com/codehaus-plexus/plexus-utils/p…
	https://gist.github.com/weaver4VD/3216dac645220f8…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-67030",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T19:33:16.549505Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-22",
                "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T19:34:53.752Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T17:45:41.937Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/codehaus-plexus/plexus-utils/pull/295"
        },
        {
          "url": "https://github.com/codehaus-plexus/plexus-utils/issues/294"
        },
        {
          "url": "https://github.com/codehaus-plexus/plexus-utils/commit/6d780b3378829318ba5c2d29547e0012d5b29642"
        },
        {
          "url": "https://github.com/codehaus-plexus/plexus-utils/pull/296"
        },
        {
          "url": "https://gist.github.com/weaver4VD/3216dac645220f8c9b488362f61241ec"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-67030",
    "datePublished": "2026-03-25T00:00:00.000Z",
    "dateReserved": "2025-12-08T00:00:00.000Z",
    "dateUpdated": "2026-03-27T19:34:53.752Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33870 (GCVE-0-2026-33870)

Vulnerability from cvelistv5 – Published: 2026-03-27 19:54 – Updated: 2026-03-31 13:55

Title

Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Summary

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/netty/netty/security/advisorie…	x_refsource_CONFIRM
	https://w4ke.info/2025/06/18/funky-chunks.html	x_refsource_MISC
	https://w4ke.info/2025/10/29/funky-chunks-2.html	x_refsource_MISC
	https://www.rfc-editor.org/rfc/rfc9110	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	netty	netty	Affected: < 4.1.132.Final Affected: >= 4.2.0.Alpha1, < 4.2.10.Final

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33870",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T13:55:28.970197Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T13:55:47.863Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.1.132.Final"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.10.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T19:54:15.586Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8"
        },
        {
          "name": "https://w4ke.info/2025/06/18/funky-chunks.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://w4ke.info/2025/06/18/funky-chunks.html"
        },
        {
          "name": "https://w4ke.info/2025/10/29/funky-chunks-2.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://w4ke.info/2025/10/29/funky-chunks-2.html"
        },
        {
          "name": "https://www.rfc-editor.org/rfc/rfc9110",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.rfc-editor.org/rfc/rfc9110"
        }
      ],
      "source": {
        "advisory": "GHSA-pwqr-wmgm-9rr8",
        "discovery": "UNKNOWN"
      },
      "title": "Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33870",
    "datePublished": "2026-03-27T19:54:15.586Z",
    "dateReserved": "2026-03-24T15:10:05.678Z",
    "dateUpdated": "2026-03-31T13:55:47.863Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-33042 (GCVE-0-2025-33042)

Vulnerability from cvelistv5 – Published: 2026-02-13 11:47 – Updated: 2026-02-13 18:05

Title

Apache Avro Java SDK: Code injection on Java generated code

Summary

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

Severity ?

No CVSS data available.

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/fy88wmgf1lj9479vr…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Avro Java SDK	Affected: 0 , ≤ 1.11.4 (semver) Affected: 1.12.0 (semver)

Credits

Brant Eckert

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-02-13T12:11:10.364Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/02/12/2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7.3,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-33042",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-13T18:05:06.984761Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-13T18:05:35.038Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.avro:avro",
          "product": "Apache Avro Java SDK",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.11.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "1.12.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Brant Eckert"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Avro Java SDK: all versions through 1.11.4 and version\u0026nbsp;1.12.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.\n\nThis issue affects Apache Avro Java SDK: all versions through 1.11.4 and version\u00a01.12.0.\n\nUsers are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-13T11:47:03.783Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1"
        }
      ],
      "source": {
        "defect": [
          "AVRO-4053"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Apache Avro Java SDK: Code injection on Java generated code",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-33042",
    "datePublished": "2026-02-13T11:47:03.783Z",
    "dateReserved": "2025-04-15T15:57:08.995Z",
    "dateUpdated": "2026-02-13T18:05:35.038Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:7109

CVE-2026-1002 (GCVE-0-2026-1002)

CVE-2026-33871 (GCVE-0-2026-33871)

CVE-2025-67030 (GCVE-0-2025-67030)

CVE-2026-33870 (GCVE-0-2026-33870)

CVE-2025-33042 (GCVE-0-2025-33042)

Tags

Sightings

Nomenclature