Vulnerability Description
netty-incubator-codec-ohttp is the OHTTP implementation for netty. BoringSSLAEADContext keeps track of how many OHTTP responses have been sent and uses this sequence number to calculate the appropriate nonce to use with the encryption algorithm. Unfortunately, two separate errors combine which would allow an attacker to cause the sequence number to overflow and thus the nonce to repeat.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netty | Netty-Incubator-Codec-Ohttp | >= 0.0.3, < 0.0.11 |
Related Weaknesses (CWE)
References
- https://github.com/netty/netty-incubator-codec-ohttp/blob/1ddadb6473cd3be5491d11Product
- https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-g7ExploitVendor Advisory
- https://github.com/netty/netty-incubator-codec-ohttp/blob/1ddadb6473cd3be5491d11Product
- https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-g7ExploitVendor Advisory
FAQ
What is CVE-2024-36121?
CVE-2024-36121 is a vulnerability with a CVSS score of 5.9 (MEDIUM). netty-incubator-codec-ohttp is the OHTTP implementation for netty. BoringSSLAEADContext keeps track of how many OHTTP responses have been sent and uses this sequence number to calculate the appropria...
How severe is CVE-2024-36121?
CVE-2024-36121 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-36121?
Check the references section above for vendor advisories and patch information. Affected products include: Netty Netty-Incubator-Codec-Ohttp.