14 open findings · 14 with upstream fix available
| Package | Version | Severity | CVE | Fix | Description | VEX |
|---|---|---|---|---|---|---|
| netty-codec-haproxy | 4.1.133.Final | HIGH | GHSA-h2qv-fj59-j46j | 4.1.135.Final | Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion | — |
| netty-handler | 4.1.133.Final | HIGH | GHSA-x4gw-5cx5-pgmh | 4.1.135.Final | Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes | — |
| netty-codec-haproxy | 4.1.133.Final | HIGH | GHSA-cc37-9q2j-3hfv | 4.1.135.Final | Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length | — |
| netty-handler | 4.1.133.Final | HIGH | GHSA-3qp7-7mw8-wx86 | 4.1.135.Final | Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking | — |
| netty-resolver-dns | 4.1.133.Final | HIGH | GHSA-5pvg-856g-cp85 | 4.1.135.Final | Netty has Insufficient Bailiwick Validation for NS Records | — |
| netty-resolver-dns | 4.1.133.Final | HIGH | GHSA-676x-f7gg-47vc | 4.1.135.Final | Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records | — |
| netty-handler | 4.1.133.Final | HIGH | GHSA-c653-97m9-rcg9 | 4.1.135.Final | Netty: Wrapping plain trust manager silently disables hostname verification | — |
| netty-codec-http2 | 4.1.133.Final | MEDIUM | GHSA-c2gf-v879-257j | 4.1.135.Final | netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion | — |
| netty-codec-http2 | 4.1.133.Final | MEDIUM | GHSA-5x3r-wrvg-rp6q | 4.1.135.Final | Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced | — |
| netty-resolver-dns | 4.1.133.Final | MEDIUM | GHSA-xmv7-r254-6q78 | 4.1.135.Final | Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port | — |
| netty-codec-http2 | 4.1.133.Final | MEDIUM | GHSA-563q-j3cm-6jxm | 4.1.135.Final | Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature | — |
| netty-codec-http | 4.1.133.Final | MEDIUM | GHSA-hvcg-qmg6-jm4c | 4.1.135.Final | Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted | — |
| netty-transport-native-epoll | 4.1.133.Final | MEDIUM | GHSA-w573-9ffj-6ff9 | 4.1.135.Final | Netty: Unix-socket fd receive leaks descriptors when peer sends two at once | — |
| netty-transport-native-epoll | 4.1.133.Final | MEDIUM | GHSA-w573-9ffj-6ff9 | 4.1.135.Final | Netty: Unix-socket fd receive leaks descriptors when peer sends two at once | — |