Vulnerabilities > Netty

DATE CVE VULNERABILITY TITLE RISK
2021-02-08 CVE-2021-21290 Creation of Temporary File in Directory with Incorrect Permissions vulnerability in multiple products
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.
local
low complexity
netty debian quarkus oracle netapp CWE-379
5.5
5.5
2020-04-07 CVE-2020-11612 Allocation of Resources Without Limits or Throttling vulnerability in multiple products
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream.
network
low complexity
netty debian fedoraproject netapp oracle CWE-770
7.5
7.5
2020-01-29 CVE-2019-20445 HTTP Request Smuggling vulnerability in multiple products
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
network
low complexity
netty debian fedoraproject canonical redhat apache CWE-444
critical
 9.1
9.1
2020-01-29 CVE-2019-20444 HTTP Request Smuggling vulnerability in multiple products
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
network
low complexity
netty debian fedoraproject canonical redhat CWE-444
critical
 9.1
9.1
2020-01-27 CVE-2020-7238 HTTP Request Smuggling vulnerability in multiple products
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.
network
low complexity
netty fedoraproject debian redhat CWE-444
7.5
7.5
2019-09-26 CVE-2019-16869 HTTP Request Smuggling vulnerability in multiple products
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
network
low complexity
netty debian canonical redhat CWE-444
7.5
7.5
2017-10-18 CVE-2015-2156 Improper Input Validation vulnerability in multiple products
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
network
low complexity
netty playframework lightbend CWE-20
7.5
7.5
2017-04-13 CVE-2016-4970 Infinite Loop vulnerability in multiple products
handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
network
low complexity
netty redhat apache CWE-835
7.5
7.5
2014-07-31 CVE-2014-3488 Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Netty
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
network
low complexity
netty CWE-119
5.0
5.0