Hi Keycloak team,
Keycloak is packaging io.netty_netty-common which is having the following High severity vulnerability. This is fixed in 4.1.115 version. Please let us know when keycloak will fix this issue.
Thanks in advance!
Thanks,
Sreehari
Registry | Repository | Tag | Id | Scan Time | Pass | Type | Distro | Hostname | Layer | CVE ID | Compliance ID | Result | Type | Severity | Packages | Source Package | Package Version | Package License | CVSS | Fix Status | Fix Date | Grace Days | Vulnerability Tags | Description | Cause | Published | Custom Labels | Vulnerability Link | PURL |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
sha256:a3fd6ee4a5ca65d1c6dd92bf5601eebf3f38c65d00dbfb95f4471c8b69c99508 | 42:12.2 | TRUE | ciImage | suse-15.6 | CVE-2024-47535 | 47 | fail | java | high | io.netty_netty-common | 4.1.111.Final | 5.5 | fixed in 4.1.115 | 50:13.0 | ### Summary An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. ### Details When the library netty is loaded in a java windows application, the library tries to identify the system environnement in which it is executed. At this stage, Netty tries to load both /etc/os-release and /usr/lib/os-release even though it is in a Windows environment. If netty finds this files, it reads them and loads them into memory. By default : - The JVM maximum memory size is set to 1 GB, - A non-privileged user can create a directory at C:\ and create files within it. the source code identified : netty/common/src/main/java/io/netty/util/internal/PlatformDependent.java at 4.1 · netty/netty · GitHub Despite the implementation of the function normalizeOs() the source code not verify the OS before reading C:\etc\os-release and `C:\usr\lib\os-release |
53:17.0 | NVD - CVE-2024-47535 | pkg:maven/io.netty/netty-common@4.1.111.Final |
Thanks
Sreehari