CVE-2014-3488 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Netty

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-835 — Infinite Loop7 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

0.9%

top 24.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netty Debian Netty

Timeline

PublishedJul 31

Latest updateJun 30

Description

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDnetty/netty3.9.1.1+14

▶debiandebian/netty

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Denial of service in Netty↗2020-06-30

▶

OSV

Denial of service in Netty↗2020-06-30

▶

📋Vendor Advisories

Red Hat

Netty: DoS by CPU exhaustion when using malicious SSL packets↗2014-06-11

▶

Debian

CVE-2014-3488: netty - The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial o...↗2014

▶

💬Community

HackerOne

Container scanning and Dependency scanning report leaked to unauthorized users↗2019-12-13

▶

Bugzilla

CVE-2014-3488 Netty: DoS by CPU exhaustion when using malicious SSL packets↗2014-06-11

▶