Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-q4h9-7rxj-7gx2] Netty vulnerability included in redis lettuce #5113

Closed
wants to merge 1 commit into from
+5 −10
Closed

[GHSA-q4h9-7rxj-7gx2] Netty vulnerability included in redis lettuce #5113

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 5 additions & 10 deletions advisories/github-reviewed/2024/12/GHSA-q4h9-7rxj-7gx2/GHSA-q4h9-7rxj-7gx2.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,12 @@
"id": "GHSA-q4h9-7rxj-7gx2",
"modified": "2024-12-02T20:03:14Z",
"published": "2024-12-02T20:03:03Z",
"aliases": [],
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The actual improvement suggestion is to remove this advisory altogether -- the web form that generated this pull request does not provide an obvious mechanism to do that.

"summary": "Netty vulnerability included in redis lettuce",
"details": "### Summary\nNote: i'm reporting this in this way purely because it's private and i don't want to broadcast vulnerabilities.\n\n> An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.\n\n### Details\nhttps://github.com/redis/lettuce/blob/main/pom.xml#L67C9-L67C53 The netty version pinned here is currently \n```\n<netty.version>4.1.113.Final</netty.version>\n```\nThis version is vulnerable according to Snyk and is affecting one of our products:\n![image](https://github.com/user-attachments/assets/a7c78c24-f1e3-4f29-bc49-b252d330002a)\n\nHere is a [link](https://www.cve.org/CVERecord?id=CVE-2024-47535) to the CVE\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\nNot applicable\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\nDenial of Service, affecting Windows users. ",
"aliases": [

],
"summary": "-- none -- this is false positive report",
"details": "This advisory should be removed, it is a false positive report.\n\nThe advisory asserts that the Lettuce package is vulnerable only because it expresses a dependency on a vulnerable version of Netty -- but Lettuce itself does not have this vulnerability: it does not actually package or shade the vulnerable Netty code. The Netty vulnerability already has its own CVE/advisory. This advisory incorrectly flags the usage of Lettuce even when a consuming project has otherwise overridden or excluded the actually-vulnerable Netty package.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
Expand All @@ -28,9 +26,6 @@
"events": [
{
"introduced": "0"
},
{
"fixed": "6.5.1.RELEASE"
}
]
}
Expand Down
Loading