CVE-2022-24823 — Resource Exposure in Netty

CWE-668 — Resource Exposure CWE-378 — Creation of Temporary File With Insecure Permissions CWE-379 — Creation of Temporary File in Directory with Insecure Permissions12 documents8 sources

Severity

5.5MEDIUMNVD

CNA6.2

EPSS

0.4%

top 39.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netty Oracle Financial Services Crime AND Compliance Management Studio

Timeline

PublishedMay 6

Latest updateFeb 24

Description

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶NVDnetty/netty< 4.1.77

▶Ubuntunetty/netty< 1:4.0.34-1ubuntu0.1~esm2+4

▶CVEListV5netty/netty4.1.76.Final

▶NVDoracle/financial_services_crime_and_compliance_management_studio8.0.8.2.0, 8.0.8.3.0+1

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

netty vulnerabilities↗2025-02-24

▶

GHSA

Local Information Disclosure Vulnerability in io.netty:netty-codec-http↗2022-05-10

▶

OSV

Local Information Disclosure Vulnerability in io.netty:netty-codec-http↗2022-05-10

▶

CVEList

Local Information Disclosure Vulnerability in io.netty:netty-codec-http↗2022-05-06

▶

OSV

CVE-2022-24823: Netty is an open-source, asynchronous event-driven network application framework↗2022-05-06

▶

📋Vendor Advisories

Ubuntu

Netty vulnerabilities↗2025-02-24

▶

Oracle

Oracle Oracle Communications Risk Matrix: Install/Upgrade (Netty) — CVE-2022-24823↗2023-01-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: PSR Designer (Netty) — CVE-2022-24823↗2022-10-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Studio (Netty) — CVE-2022-24823↗2022-07-15

▶

Red Hat

netty: world readable temporary file containing sensitive data↗2022-05-06

▶