CVE-2024-47535

Aliases:GHSA-xq3w-v528-46rv

Advisory lineage Upstream: 0 Downstream: 10

Downstream

OPENSUSE-SU-2024:14549-1 RHSA-2025:3357 RHSA-2025:3465 RHSA-2025:4548 RHSA-2025:4549 RHSA-2025:4550

Analyzed

Published: 12 Nov 2024, 15:50

Last modified:13 Nov 2024, 20:44

Vulnerability Summary

Overall Risk (default)

medium

32/100

CVSS Score

5.5 MEDIUM

v3.1 (cve.org)

EPSS Score

0.47% LOW

0% probability +0.27%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

12 Nov 2024, 15:50

Published

Vulnerability first disclosed

13 Nov 2024, 20:44

Last Modified

Vulnerability information updated

Description

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

CVSS Metrics

v4.0•MEDIUM•Score: 6.8CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.47%• Percentile: 65%

Techniques & Countermeasures

CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

io.netty•netty-common
< 4.1.115.Final
netty•netty
< 4.1.115