[Snyk:Medium] Flyway io.netty:netty-codec-http Allocation of Resources Without Limits or Throttling (due on 05/27/2024)

[tmpayton]

io.netty:netty-codec-http Allocation of Resources Without Limits or Throttling

VULNERABILITY
CWE-770OPEN THIS LINK IN A NEW TAB
CVE-2024-29025OPEN THIS LINK IN A NEW TAB
CVSS 5.3OPEN THIS LINK IN A NEW TAB MEDIUM
SNYK-JAVA-IONETTY-6483812OPEN THIS LINK IN A NEW TAB

Introduced through
org.flywaydb:[email protected]
Fixed in
io.netty:[email protected]

Exploit maturity
PROOF OF CONCEPT

Detailed paths
Introduced through: unknown:[email protected] › org.flywaydb:[email protected] › software.amazon.awssdk:[email protected] › software.amazon.awssdk:[email protected] › io.netty:[email protected]
Introduced through: unknown:[email protected] › org.flywaydb:[email protected] › software.amazon.awssdk:[email protected] › software.amazon.awssdk:[email protected] › io.netty:[email protected] › io.netty:[email protected]
Security information
Factors contributing to the scoring:
Snyk: CVSS 5.3 - Medium Severity

NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing for data to accumulate without limits.

An attacker can cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.

Learn about this type of vulnerability

Completion Criteria

• Upgrade flyway to 10.11.0

[pkfec]

flyway upgraded to v10.11.1 in pr #5801. Closing this issue