Bump Netty version to mitigate CVE-2020-11612
See original GitHub issueAs per https://nvd.nist.gov/vuln/detail/CVE-2020-11612, there is a known vulnerability with the current Netty version used by ktor - 4.1.44.Final
I’ll raise a PR to bump to 4.1.48.Final
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:5 (1 by maintainers)
Top Results From Across the Web
CVE-2020-11612
Description. The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream.
Read more >upgrade netty to address CVE-2020-11612
The owasp checker is failing with the following. I looked and seems like a DOS attack vector "The ZlibDecoders in Netty 4.1.x before...
Read more >HTTP Request Smuggling Vulnerability in the The Netty ...
This issue has not yet been fixed in a released version of the library. Moreover, there are no known mitigation steps.
Read more >Dependency-Check Report
dependency-check version: 6.1.1; Report Generated On: Fri, ... [Closed] (GROOVY-9552) Bump Ant versions to address: [CVE-2020-1945] Apache Ant insecure ...
Read more >CVE Reference Map for Source MLIST
MLIST:Security release of kubectl versions v1.16.0 / 1.15.4 / 1.14.7 and 1.13.11 ... 20091107 CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Is this CVE not relevant when using ktor or am I missing something? It strikes me as a bit odd to leave a fix for a ‘score critical’ CVE laying around for a month if it can easily be solved by bumping a version?
There is a workaround whilst my PR remains outstanding - you can force the resolution yourself in your
build.gradle
:Not ideal to have to maintain that, of course, but it will at least patch the CVE in your application and make the OWASP check go green if you’ve automated it someplace 😄