Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2025-02529

Опубликовано: 10 фев. 2025
Источник: fstec
CVSS3: 5.5
CVSS2: 4.6
EPSS Низкий

Описание

Уязвимость функции BufferedReader.readLine() сетевого программного средства Netty связана с неконтролируемым расходом ресурсов. Эксплуатация уязвимости может позволить нарушителю вызвать отказ в обслуживании

Вендор

ООО «Ред Софт»
Apache Software Foundation

Наименование ПО

РЕД ОС
netty

Версия ПО

7.3 (РЕД ОС)
от 4.1.97.Final до 4.1.118.Final включительно (netty)

Тип ПО

Операционная система
Сетевое программное средство

Операционные системы и аппаратные платформы

ООО «Ред Софт» РЕД ОС 7.3

Уровень опасности уязвимости

Средний уровень опасности (базовая оценка CVSS 2.0 составляет 4,6)
Средний уровень опасности (базовая оценка CVSS 3.0 составляет 5,5)

Возможные меры по устранению уязвимости

Использование рекомендаций производителя:
Для Netty:
https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386
Для РЕД ОС:
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Существует

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 31%
0.00113
Низкий

5.5 Medium

CVSS3

4.6 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2025-25193

CVSS3: 5.5
ubuntu
7 месяцев назад

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

redhat логотип

CVE-2025-25193

CVSS3: 5.5
redhat
7 месяцев назад

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

nvd логотип

CVE-2025-25193

CVSS3: 5.5
nvd
7 месяцев назад

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

debian логотип

CVE-2025-25193

CVSS3: 5.5
debian
7 месяцев назад

Netty, an asynchronous, event-driven network application framework, ha ...

github логотип

GHSA-389x-839f-4rhx

CVSS3: 5.5
github
7 месяцев назад

Denial of Service attack on windows app using Netty

EPSS

Процентиль: 31%
0.00113
Низкий

5.5 Medium

CVSS3

4.6 Medium

CVSS2