Find, fix and prevent vulnerabilities in your code.
medium severity
new
- Vulnerable module: org.bouncycastle:bcprov-jdk18on
- Introduced through: com.sendgrid:sendgrid-java@4.10.2
Detailed paths
-
Introduced through: pacphi/cf-butler@pacphi/cf-butler#670c29227a2c029a0d7dc86819b198077d4da9f7 › com.sendgrid:sendgrid-java@4.10.2 › org.bouncycastle:bcprov-jdk18on@1.76
Overview
Affected versions of this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via javax.crypto.Cipher
exceptions and the OAEP interface vector leaks via the bit size of the decrypted data.
Remediation
There is no fixed version for org.bouncycastle:bcprov-jdk18on
.
References
medium severity
new
- Vulnerable module: io.netty:netty-codec-http
- Introduced through: org.cloudfoundry:cloudfoundry-client-reactor@5.12.1.RELEASE and org.springframework.boot:spring-boot-starter-webflux@3.2.4
Detailed paths
-
Introduced through: pacphi/cf-butler@pacphi/cf-butler#670c29227a2c029a0d7dc86819b198077d4da9f7 › org.cloudfoundry:cloudfoundry-client-reactor@5.12.1.RELEASE › io.projectreactor.netty:reactor-netty@1.1.17 › io.projectreactor.netty:reactor-netty-http@1.1.17 › io.netty:netty-codec-http@4.1.107.Final
-
Introduced through: pacphi/cf-butler@pacphi/cf-butler#670c29227a2c029a0d7dc86819b198077d4da9f7 › org.springframework.boot:spring-boot-starter-webflux@3.2.4 › org.springframework.boot:spring-boot-starter-reactor-netty@3.2.4 › io.projectreactor.netty:reactor-netty-http@1.1.17 › io.netty:netty-codec-http@4.1.107.Final
-
Introduced through: pacphi/cf-butler@pacphi/cf-butler#670c29227a2c029a0d7dc86819b198077d4da9f7 › org.cloudfoundry:cloudfoundry-client-reactor@5.12.1.RELEASE › io.projectreactor.netty:reactor-netty@1.1.17 › io.projectreactor.netty:reactor-netty-core@1.1.17 › io.netty:netty-handler-proxy@4.1.107.Final › io.netty:netty-codec-http@4.1.107.Final
-
Introduced through: pacphi/cf-butler@pacphi/cf-butler#670c29227a2c029a0d7dc86819b198077d4da9f7 › org.cloudfoundry:cloudfoundry-client-reactor@5.12.1.RELEASE › io.projectreactor.netty:reactor-netty@1.1.17 › io.projectreactor.netty:reactor-netty-http@1.1.17 › io.netty:netty-codec-http2@4.1.107.Final › io.netty:netty-codec-http@4.1.107.Final
-
Introduced through: pacphi/cf-butler@pacphi/cf-butler#670c29227a2c029a0d7dc86819b198077d4da9f7 › org.springframework.boot:spring-boot-starter-webflux@3.2.4 › org.springframework.boot:spring-boot-starter-reactor-netty@3.2.4 › io.projectreactor.netty:reactor-netty-http@1.1.17 › io.netty:netty-codec-http2@4.1.107.Final › io.netty:netty-codec-http@4.1.107.Final
-
Introduced through: pacphi/cf-butler@pacphi/cf-butler#670c29227a2c029a0d7dc86819b198077d4da9f7 › org.cloudfoundry:cloudfoundry-client-reactor@5.12.1.RELEASE › io.projectreactor.netty:reactor-netty@1.1.17 › io.projectreactor.netty.incubator:reactor-netty-incubator-quic@0.1.17 › io.projectreactor.netty:reactor-netty-core@1.1.17 › io.netty:netty-handler-proxy@4.1.107.Final › io.netty:netty-codec-http@4.1.107.Final
-
Introduced through: pacphi/cf-butler@pacphi/cf-butler#670c29227a2c029a0d7dc86819b198077d4da9f7 › org.cloudfoundry:cloudfoundry-client-reactor@5.12.1.RELEASE › io.projectreactor.netty:reactor-netty@1.1.17 › io.projectreactor.netty:reactor-netty-http@1.1.17 › io.projectreactor.netty:reactor-netty-core@1.1.17 › io.netty:netty-handler-proxy@4.1.107.Final › io.netty:netty-codec-http@4.1.107.Final
-
Introduced through: pacphi/cf-butler@pacphi/cf-butler#670c29227a2c029a0d7dc86819b198077d4da9f7 › org.springframework.boot:spring-boot-starter-webflux@3.2.4 › org.springframework.boot:spring-boot-starter-reactor-netty@3.2.4 › io.projectreactor.netty:reactor-netty-http@1.1.17 › io.projectreactor.netty:reactor-netty-core@1.1.17 › io.netty:netty-handler-proxy@4.1.107.Final › io.netty:netty-codec-http@4.1.107.Final
Overview
io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the accumulation of data in the HttpPostRequestDecoder
. The decoder cumulates bytes in the undecodedChunk
buffer until it can decode a field, allowing for data to accumulate without limits.
An attacker can cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData
list.
Remediation
Upgrade io.netty:netty-codec-http
to version 4.1.108.Final or higher.