CVE-2014-0193

WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.

Published Bysecalert@redhat.com

Published DateMay 06, 2014, 14:55

Affected Versions(6)

io.netty:netty(Maven)

Introduced3.6.0.Beta1

Fixed3.6.9.Final

LimitN/A

io.netty:netty(Maven)

Introduced3.7.0.Final

Fixed3.7.1.Final

LimitN/A

io.netty:netty(Maven)

Introduced3.8.0.Final

Fixed3.8.2.Final

LimitN/A

io.netty:netty(Maven)

Introduced3.9.0.Final

Fixed3.9.1.Final

LimitN/A

io.netty:netty(Maven)

Introduced4.0.0.Alpha1

Fixed4.0.19.Final

LimitN/A

io.netty:netty-all(Maven)

Introduced4.0.0.Alpha1

Fixed4.0.19.Final

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
io.netty:netty(Maven)	3.6.0.Beta1	3.6.9.Final	N/A
io.netty:netty(Maven)	3.7.0.Final	3.7.1.Final	N/A
io.netty:netty(Maven)	3.8.0.Final	3.8.2.Final	N/A
io.netty:netty(Maven)	3.9.0.Final	3.9.1.Final	N/A
io.netty:netty(Maven)	4.0.0.Alpha1	4.0.19.Final	N/A
io.netty:netty-all(Maven)	4.0.0.Alpha1	4.0.19.Final	N/A

Weakness Type (CWE):CWE-399

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:N/I:N/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

PARTIAL

References

Weakness Type (CWE):CWE-399

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:N/I:N/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

PARTIAL