CVE-2024-47535

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
VendorProductVersion
nettynetty
𝑥
< 4.1.115
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
netty
bullseye (security)
1:4.1.48-4+deb11u2
fixed
bullseye
1:4.1.48-4+deb11u2
fixed
bookworm
1:4.1.48-7+deb12u1
fixed
bookworm (security)
1:4.1.48-7+deb12u1
fixed
forky
1:4.1.48-10
fixed
sid
1:4.1.48-10
fixed
trixie
1:4.1.48-10
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
netty-3.9
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
needs-triage
xenial
needs-triage
netty
plucky
ignored
oracular
ignored
noble
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3
https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv