7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.011 Low
EPSS
Percentile
84.3%
A server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM. It does not affect http4s servers, other client backends, or clients that speak only to trusted servers. This is related to a transitive dependency on netty-codec-4.1.45.Final, which is affected by CVE-2020-11612.
Upgrade to http4s-async-http-client >= 0.21.8. All 1.0 milestones are also safe.
Add an explicit runtime dependency on async-http-client’s netty dependencies that evicts them to an unaffected version:
libraryDependencies ++= Seq(
"io.netty" % "netty-codec" % "4.1.53.Final" % Runtime,
"io.netty" % "netty-codec-socks" % "4.1.53.Final" % Runtime,
"io.netty" % "netty-handler-proxy" % "4.1.53.Final" % Runtime,
"io.netty" % "netty-common" % "4.1.53.Final" % Runtime,
"io.netty" % "netty-transport" % "4.1.53.Final" % Runtime,
"io.netty" % "netty-handler" % "4.1.53.Final" % Runtime,
"io.netty" % "netty-resolver-dns" % "4.1.53.Final" % Runtime
)
If you have any questions or comments about this advisory:
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.011 Low
EPSS
Percentile
84.3%