logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-8hxh-r6f7-jf45 org.http4s:http4s-async-http-client_2.13

Package

Manager: maven
Name: org.http4s:http4s-async-http-client_2.13
Vulnerable Version: >=0 <0.21.8

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Memory exhaustion in http4s-async-http-client with large or malicious compressed responses ### Impact A server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM. It does not affect http4s servers, other client backends, or clients that speak only to trusted servers. This is related to a transitive dependency on netty-codec-4.1.45.Final, which is affected by [CVE-2020-11612](https://app.snyk.io/vuln/SNYK-JAVA-IONETTY-564897). ### Patches Upgrade to http4s-async-http-client >= 0.21.8. All 1.0 milestones are also safe. ### Workarounds Add an explicit runtime dependency on async-http-client's netty dependencies that evicts them to an unaffected version: ```scala libraryDependencies ++= Seq( "io.netty" % "netty-codec" % "4.1.53.Final" % Runtime, "io.netty" % "netty-codec-socks" % "4.1.53.Final" % Runtime, "io.netty" % "netty-handler-proxy" % "4.1.53.Final" % Runtime, "io.netty" % "netty-common" % "4.1.53.Final" % Runtime, "io.netty" % "netty-transport" % "4.1.53.Final" % Runtime, "io.netty" % "netty-handler" % "4.1.53.Final" % Runtime, "io.netty" % "netty-resolver-dns" % "4.1.53.Final" % Runtime ) ``` ### References * https://app.snyk.io/vuln/SNYK-JAVA-IONETTY-564897 * https://github.com/http4s/http4s/issues/3681 ### For more information If you have any questions or comments about this advisory: * Open an issue in [http4s](https://github.com/http4s/http4s/issues/new) * Contact a maintainer privately per [http4s' security policy](https://github.com/http4s/http4s/blob/master/SECURITY.md#reporting-a-vulnerability)

Metadata

Created: 2020-10-16T17:03:43Z
Modified: 2021-10-04T21:26:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-8hxh-r6f7-jf45/GHSA-8hxh-r6f7-jf45.json
CWE IDs: ["CWE-400"]
Alternative ID: N/A
Finding: F067
Auto approve: 1