Vulnerabilities

 9 via 55 paths

Dependencies

 217

Source

 GitHub

Commit

 6c6e57b2

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 9
  • 6
Severity
  • 7
  • 7
  • 1
Status
  • 15
  • 0
  • 0

high severity

Uncontrolled Recursion

  • Vulnerable module: org.apache.commons:commons-lang3
  • Introduced through: org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.ing.data:cassandra-jdbc-wrapper@4.13.0 org.apache.commons:commons-lang3@3.15.0
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 org.apache.commons:commons-text@1.10.0 org.apache.commons:commons-lang3@3.15.0

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

Upgrade org.apache.commons:commons-lang3 to version 3.18.0 or higher.

References

Uncontrolled Recursion vulnerability report

high severity

HTTP Request Smuggling

  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: software.amazon.awssdk:netty-nio-client@2.32.22 and org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d software.amazon.awssdk:netty-nio-client@2.32.22 io.netty:netty-codec-http@4.1.118.Final
    Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.33.13.
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d software.amazon.awssdk:netty-nio-client@2.32.22 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final
    Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.33.13.
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-handler-proxy@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.projectreactor.netty:reactor-netty-core@1.0.48 io.netty:netty-handler-proxy@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling via the parsing of chunk extensions in HTTP/1.1 messages with chunked encoding. An attacker can bypass HTTP request boundaries by sending specially crafted HTTP requests that exploit differences in how standalone newline characters are parsed between reverse proxies and the backend, potentially allowing them to smuggle additional requests.

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.125.Final, 4.2.5.Final or higher.

References

HTTP Request Smuggling vulnerability report

high severity

Improper Handling of Highly Compressed Data (Data Amplification)

  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: software.amazon.awssdk:netty-nio-client@2.32.22 and org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d software.amazon.awssdk:netty-nio-client@2.32.22 io.netty:netty-codec-http@4.1.118.Final
    Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.33.13.
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d software.amazon.awssdk:netty-nio-client@2.32.22 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final
    Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.33.13.
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-handler-proxy@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.projectreactor.netty:reactor-netty-core@1.0.48 io.netty:netty-handler-proxy@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) via the BrotliDecoder.decompress function, which has no limit on how often it calls pull, decompressing data 64K bytes at a time. An attacker can exhaust system memory and cause application downtime by submitting specially crafted compressed input that triggers excessive buffer allocations.

PoC

import io.netty.buffer.Unpooled;
import io.netty.channel.embedded.EmbeddedChannel;

import java.util.Base64;

public class T {
    public static void main(String[] args) {
        EmbeddedChannel channel = new EmbeddedChannel(new BrotliDecoder());
        channel.writeInbound(Unpooled.wrappedBuffer(Base64.getDecoder().decode("aPpxD1tETigSAGj6cQ8vRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROMBIAEgIaHwBETlQQVFcXlgA=")));
    }
}

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.125.Final or higher.

References

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: io.netty:netty-codec-http2
  • Introduced through: software.amazon.awssdk:netty-nio-client@2.32.22 and org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d software.amazon.awssdk:netty-nio-client@2.32.22 io.netty:netty-codec-http2@4.1.118.Final
    Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.32.33.
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-codec-http2@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.netty:netty-codec-http2@4.1.118.Final

Overview

io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the improper handling of concurrently active streams per connection. An attacker can cause resource exhaustion and disrupt service availability by rapidly sending crafted frames, such as WINDOW_UPDATE, HEADERS, or PRIORITY, that manipulate the server's stream reset logic, leading to unbounded concurrent stream processing.

Remediation

Upgrade io.netty:netty-codec-http2 to version 4.1.124.Final, 4.2.4.Final or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Improper Handling of Highly Compressed Data (Data Amplification)

  • Vulnerable module: io.netty:netty-codec-http2
  • Introduced through: software.amazon.awssdk:netty-nio-client@2.32.22 and org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d software.amazon.awssdk:netty-nio-client@2.32.22 io.netty:netty-codec-http2@4.1.118.Final
    Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.33.13.
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-codec-http2@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.netty:netty-codec-http2@4.1.118.Final

Overview

io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework.

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) via the BrotliDecoder.decompress function, which has no limit on how often it calls pull, decompressing data 64K bytes at a time. An attacker can exhaust system memory and cause application downtime by submitting specially crafted compressed input that triggers excessive buffer allocations.

PoC

import io.netty.buffer.Unpooled;
import io.netty.channel.embedded.EmbeddedChannel;

import java.util.Base64;

public class T {
    public static void main(String[] args) {
        EmbeddedChannel channel = new EmbeddedChannel(new BrotliDecoder());
        channel.writeInbound(Unpooled.wrappedBuffer(Base64.getDecoder().decode("aPpxD1tETigSAGj6cQ8vRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROMBIAEgIaHwBETlQQVFcXlgA=")));
    }
}

Remediation

Upgrade io.netty:netty-codec-http2 to version 4.1.125.Final or higher.

References

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability report

high severity

Improper Validation of Specified Quantity in Input

  • Vulnerable module: io.netty:netty-handler
  • Introduced through: software.amazon.awssdk:netty-nio-client@2.32.22 and org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d software.amazon.awssdk:netty-nio-client@2.32.22 io.netty:netty-handler@4.1.94.Final
    Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.32.33.
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d software.amazon.awssdk:netty-nio-client@2.32.22 io.netty:netty-codec-http@4.1.118.Final io.netty:netty-handler@4.1.94.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d software.amazon.awssdk:netty-nio-client@2.32.22 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-handler@4.1.94.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-handler@4.1.94.Final
    Remediation: Upgrade to org.flywaydb:flyway-commandline@11.20.0.
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.ing.data:cassandra-jdbc-wrapper@4.13.0 org.apache.cassandra:java-driver-core@4.18.1 io.netty:netty-handler@4.1.94.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d software.amazon.awssdk:netty-nio-client@2.32.22 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final io.netty:netty-handler@4.1.94.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-codec-http@4.1.118.Final io.netty:netty-handler@4.1.94.Final
    Remediation: Upgrade to org.flywaydb:flyway-commandline@11.20.0.
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-handler@4.1.94.Final
    Remediation: Upgrade to org.flywaydb:flyway-commandline@11.20.0.
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final io.netty:netty-handler@4.1.94.Final
    Remediation: Upgrade to org.flywaydb:flyway-commandline@11.20.0.
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-handler-proxy@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final io.netty:netty-handler@4.1.94.Final
    Remediation: Upgrade to org.flywaydb:flyway-commandline@11.20.0.
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.netty:netty-codec-http@4.1.118.Final io.netty:netty-handler@4.1.94.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-handler@4.1.94.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.netty:netty-resolver-dns@4.1.112.Final io.netty:netty-handler@4.1.94.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.projectreactor.netty:reactor-netty-core@1.0.48 io.netty:netty-handler@4.1.94.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final io.netty:netty-handler@4.1.94.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.projectreactor.netty:reactor-netty-core@1.0.48 io.netty:netty-resolver-dns@4.1.112.Final io.netty:netty-handler@4.1.94.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.projectreactor.netty:reactor-netty-core@1.0.48 io.netty:netty-handler-proxy@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final io.netty:netty-handler@4.1.94.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.netty:netty-resolver-dns-native-macos@4.1.112.Final io.netty:netty-resolver-dns-classes-macos@4.1.112.Final io.netty:netty-resolver-dns@4.1.112.Final io.netty:netty-handler@4.1.94.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.projectreactor.netty:reactor-netty-core@1.0.48 io.netty:netty-resolver-dns-native-macos@4.1.112.Final io.netty:netty-resolver-dns-classes-macos@4.1.112.Final io.netty:netty-resolver-dns@4.1.112.Final io.netty:netty-handler@4.1.94.Final

Overview

io.netty:netty-handler is a library that provides an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input when validating SSL packets using the native SSLEngine. The SSL_RECORD_HEADER_LENGTH of an incoming packet is not properly checked in the getEncryptedPacketLength() function, allowing attackers to trigger a crash by sending malicious packets.

Workaround

This vulnerability can be avoided by not using the native SSLEngine.

Remediation

Upgrade io.netty:netty-handler to version 4.1.118.Final, 4.2.0.RC3 or higher.

References

Improper Validation of Specified Quantity in Input vulnerability report

high severity

Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1

  • Module: com.github.jnr:jnr-posix
  • Introduced through: org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.ing.data:cassandra-jdbc-wrapper@4.13.0 org.apache.cassandra:java-driver-core@4.18.1 com.github.jnr:jnr-posix@3.1.15

Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1

Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1 vulnerability report

medium severity

Uncontrolled Recursion

  • Vulnerable module: com.nimbusds:nimbus-jose-jwt
  • Introduced through: org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.microsoft.azure:msal4j@1.20.0 com.nimbusds:oauth2-oidc-sdk@11.23 com.nimbusds:nimbus-jose-jwt@10.0.1
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.microsoft.azure:msal4j@1.20.0 com.nimbusds:oauth2-oidc-sdk@11.23 com.nimbusds:nimbus-jose-jwt@10.0.1
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.microsoft.azure:msal4j-persistence-extension@1.3.0 com.microsoft.azure:msal4j@1.20.0 com.nimbusds:oauth2-oidc-sdk@11.23 com.nimbusds:nimbus-jose-jwt@10.0.1

Overview

com.nimbusds:nimbus-jose-jwt is a library for JSON Web Tokens (JWT)

Affected versions of this package are vulnerable to Uncontrolled Recursion due to the improper handling JWT claim sets containing deeply nested JSON objects. An attacker can cause application downtime or resource exhaustion by submitting a specially crafted JWT with excessive nesting.

Note:

This issue only affects nimbus-jose-jwt, not Gson because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

PoC

import com.nimbusds.jwt.JWTClaimsSet;
import java.text.ParseException;
import java.util.HashMap;
import java.util.Map;

public class Test {
    // This builds a claimset with a deeply nested map, which could theoretically be supplied by a client.
    // If the JWT is serialized into JSON (for example, in logging or debugging), it can cause a StackOverflowError.
    public static void main(String[] args) throws ParseException {        
        Map<String, Object> nestedMap = new HashMap<>();
        Map<String, Object> currentLevel = nestedMap;

        for (int i = 0; i < 5000; i++) {
            Map<String, Object> nextLevel = new HashMap<>();
            currentLevel.put("", nextLevel);
            currentLevel = nextLevel;
        }

        JWTClaimsSet claimSet = JWTClaimsSet.parse(nestedMap);

        // This will cause a StackOverflowError due to excessive recursion in GSON's serialization
        claimSet.toString();
    }
}

Remediation

Upgrade com.nimbusds:nimbus-jose-jwt to version 9.37.4, 10.0.2 or higher.

References

Uncontrolled Recursion vulnerability report

medium severity

CRLF Injection

  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: software.amazon.awssdk:netty-nio-client@2.32.22 and org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d software.amazon.awssdk:netty-nio-client@2.32.22 io.netty:netty-codec-http@4.1.118.Final
    Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.40.17.
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d software.amazon.awssdk:netty-nio-client@2.32.22 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final
    Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.40.17.
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.netty:netty-handler-proxy@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.netty:netty-codec-http2@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48 io.projectreactor.netty:reactor-netty-core@1.0.48 io.netty:netty-handler-proxy@4.1.118.Final io.netty:netty-codec-http@4.1.118.Final

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to CRLF Injection in HttpRequestEncoder, due to improper sanitization of a URI with line-breaks in the DefaultHttpRequest class. An attacker can manipulate HTTP requests to cause parser desynchronization, request smuggling, and response splitting by including line break characters in requests.

PoC


public static void main(String[] args) {

  EmbeddedChannel client = new EmbeddedChannel();
  client.pipeline().addLast(new HttpClientCodec());

  EmbeddedChannel server = new EmbeddedChannel();
  server.pipeline().addLast(new HttpServerCodec());
  server.pipeline().addLast(new ChannelInboundHandlerAdapter() {
    @Override
    public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
      System.out.println("Processing msg " + msg);
    }
  });

  DefaultHttpRequest request = new DefaultHttpRequest(
    HttpVersion.HTTP_1_1,
    HttpMethod.GET,
    "/s1 HTTP/1.1\r\n" +
      "\r\n" +
      "POST /s2 HTTP/1.1\r\n" +
      "content-length: 11\r\n\r\n" +
      "Hello World" +
      "GET /s1"
  );
  client.writeAndFlush(request);
  ByteBuf tmp;
  while ((tmp = client.readOutbound()) != null) {
    server.writeInbound(tmp);
  }
}

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.129.Final, 4.2.8.Final or higher.

References

CRLF Injection vulnerability report

medium severity

Dual license: EPL-1.0, MPL-2.0

  • Module: com.h2database:h2
  • Introduced through: org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.h2database:h2@2.3.232

Dual license: EPL-1.0, MPL-2.0

Dual license: EPL-1.0, MPL-2.0 vulnerability report

medium severity

LGPL-2.1 license

  • Module: com.singlestore:singlestore-jdbc-client
  • Introduced through: org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.singlestore:singlestore-jdbc-client@1.2.8
  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 org.flywaydb:flyway-singlestore@11.20.0 com.singlestore:singlestore-jdbc-client@1.2.8

LGPL-2.1 license

LGPL-2.1 license vulnerability report

medium severity

EPL-1.0 license

  • Module: junit:junit
  • Introduced through: org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.google.cloud:google-cloud-storage@2.43.1 com.google.api.grpc:gapic-google-cloud-storage-v2@2.43.1-beta junit:junit@4.13.2

EPL-1.0 license

EPL-1.0 license vulnerability report

medium severity

LGPL-3.0 license

  • Module: net.sourceforge.jtds:jtds
  • Introduced through: org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 net.sourceforge.jtds:jtds@1.3.1

LGPL-3.0 license

LGPL-3.0 license vulnerability report

medium severity

LGPL-2.1 license

  • Module: org.mariadb.jdbc:mariadb-java-client
  • Introduced through: org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 org.mariadb.jdbc:mariadb-java-client@2.7.13

LGPL-2.1 license

LGPL-2.1 license vulnerability report

low severity

Exposure of Sensitive System Information to an Unauthorized Control Sphere

  • Vulnerable module: io.projectreactor.netty:reactor-netty-http
  • Introduced through: org.flywaydb:flyway-commandline@11.20.0

Detailed paths

  • Introduced through: fecgov/openfec@fecgov/openfec#6c6e57b27a0f3b8b03ad22888f93c1dba3f01e2d org.flywaydb:flyway-commandline@11.20.0 com.azure:azure-identity@1.15.4 com.azure:azure-core-http-netty@1.15.11 io.projectreactor.netty:reactor-netty-http@1.0.48

Overview

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via handling of chained redirects. An attacker can cause the Reactor Netty HTTP client to leak credentials such as session cookies by intercepting initial HTTP/1.1 requests containing and replaying them on new HTTP/2 connections.

Notes:

  1. For this to be exploited, the HTTP client must have been explicitly configured to follow redirects.
  2. For the commercial version of Spring, patches are also available for the 1.0.x and 1.1.x streams in 1.0.49 and 1.1.32 respectively.

Remediation

Upgrade io.projectreactor.netty:reactor-netty-http to version 1.2.8, 1.3.0-M5 or higher.

References

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability report