Home

CVE-2022-24823

Description

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Nettys multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify ones own java.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

Risk Information

Base Score
5.5
MODERATE
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
0.401

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2022-24823 are fixed in Netty-netty-codec-http 4.1.77Windows
Multiple Vulnerabilities are affected in Netapp Active Iq Unified Manager 2.3Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.58Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.59Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.60Windows
Multiple Vulnerabilities are affected in Netapp Snapcenter 2.3Windows
Multiple Vulnerabilities are affected in Netapp Oncommand Workflow Automation 2.3Windows
SUSE-SU-2023:2096-1(Development Tools Module 15-SP4 ) netty-tcnative-2.0.59-150200.3.10.1.x86_64.rpmLinux
SUSE-SU-2023:2096-2(Development Tools Module 15-SP5) netty-tcnative-2.0.59-150200.3.10.1.x86_64.rpmLinux
Java NIO client/server socket framework (USN-7284-1) libnetty-java_4.1.48-10ubuntu0.1_all.debLinux
Vulnerabilities CVE-2022-24823 are fixed in Netty-netty-codec-http for Linux 4.1.77Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234