Veracode Vulnerability DatabaseVERACODE:47392Sensitive Information Disclosure
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
37.7%
netty-incubator-codec-ohttp is vulnerable to Sensitive Information Disclosure. The vulnerability due to an error in the BoringSSLAEADContext which results the encryption nonce overflowing. An attacker can manipulate the nonce repetition by causing the sequence number to overflow, which decreases the security of OHTTP responses.
| CPE | Name | Operator | Version |
|---|---|---|---|
| netty/incubator/codec/ohttp | le | 0.0.10.Final | |
| netty/incubator/codec/ohttp | le | 0.0.10.Final |
References
github.com/netty/netty-incubator-codec-ohttp/blob/1ddadb6473cd3be5491d114431ed4c1a9f316001/codec-ohttp-hpke-classes-boringssl/src/main/java/io/netty/incubator/codec/hpke/boringssl/BoringSSLAEADContext.java#L112-L114
github.com/netty/netty-incubator-codec-ohttp/commit/ee93b421c02156e1e55a1787df48ac31059da6e5
github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-g762-h86w-8749
Related
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
37.7%