CVE-2020-11612

CWE-770Allocation without LimitsCWE-119Buffer OverflowCWE-400Uncontrolled Resource Consumption19 documents9 sources
Severity
7.5HIGH
EPSS
4.3%
top 11.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
10
Netty NettyOracle Nosql DatabaseOracle Siebel Core - Server Framework+7 more
Timeline
PublishedApr 7
Latest updateApr 28

Description

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages13 packages

NVDnetty/netty4.14.1.46
Mavenio.netty:netty-handler4.1.04.1.46
Debiannetty< 1:4.1.48-1+3
Ubuntunetty< 1:4.1.7-4ubuntu0.1+4

Also affects: Debian Linux 10.0, 9.0, Fedora 33

Patches

Patch: github.comPatch: github.comPatch: www.oracle.com

🔴Vulnerability Details

8
OSV
netty vulnerabilities2023-04-28
OSV
netty vulnerabilities2020-10-27
OSV
Memory exhaustion in http4s-async-http-client with large or malicious compressed responses2020-10-16
GHSA
Memory exhaustion in http4s-async-http-client with large or malicious compressed responses2020-10-16
GHSA
Denial of Service in Netty2020-06-15

📋Vendor Advisories

8
Ubuntu
Netty vulnerabilities2023-04-28
Oracle
Oracle Oracle Blockchain Platform Risk Matrix: BCS Console (Netty) — CVE-2020-116122022-04-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: HTTP GW (Netty) — CVE-2020-116122021-07-15
Oracle
Oracle Oracle NoSQL Database Risk Matrix: Administration (Netty) — CVE-2020-116122021-04-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Core (Netty) — CVE-2020-116122021-01-15

💬Community

2
Bugzilla
CVE-2020-11612 netty: compression/decompression codecs don't enforce limits on buffer allocation sizes [fedora-all]2020-08-04
Bugzilla
CVE-2020-11612 netty: compression/decompression codecs don't enforce limits on buffer allocation sizes2020-03-23