Back

CVE-2024-36121

June 4, 2024, 10:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Netty

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-190
2024-06-04
CVE-2024-36121

CVE-2024-36121 details

Published : June 4, 2024, 10:15 p.m.
Last Modified : June 4, 2024, 10:15 p.m.

Description

netty-incubator-codec-ohttp is the OHTTP implementation for netty. BoringSSLAEADContext keeps track of how many OHTTP responses have been sent and uses this sequence number to calculate the appropriate nonce to use with the encryption algorithm. Unfortunately, two separate errors combine which would allow an attacker to cause the sequence number to overflow and thus the nonce to repeat.

CVSS Score

1 2 3 4 5.9 6 7 8 9 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

5.9

Exploitability Score

Impact Score

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

References

URL Source
https://github.com/netty/netty-incubator-codec-ohttp/blob/1ddadb6473cd3be5491d114431ed4c1a9f316001/codec-ohttp-hpke-classes-boringssl/src/main/java/io/netty/incubator/codec/hpke/boringssl/BoringSSLAEADContext.java#L112-L114 security-advisories@github.com
https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-g762-h86w-8749 security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.