Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.xml.fastinfoset/FastInfoset/1.2.16/4eb6a0adad553bf759ffe86927df6f3b848c8bea/FastInfoset-1.2.16.jar MD5: f7f4be4695e2501a6d585beca305c74c SHA1: 4eb6a0adad553bf759ffe86927df6f3b848c8bea SHA256:056f3a1e144409f21ed16afc26805f58e9a21f3fce1543c42d400719d250c511 Referenced In Project/Scope: server-start:compileClasspath FastInfoset-1.2.16.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.xml.fastinfoset/FastInfoset/2.1.0/cd92e93ef4ee608bffe4ba41b1247846a3d42227/FastInfoset-2.1.0.jar MD5: e3b96affb511af41c5ba5bc6827b93db SHA1: cd92e93ef4ee608bffe4ba41b1247846a3d42227 SHA256:b968161aab6beb1ea1a4a62a3d84b5d762d62681f7ce23cf03049915d9748d21 Referenced In Project/Scope: server-start:runtimeClasspath FastInfoset-2.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.angus/angus-activation/2.0.2/41f1e0ddd157c856926ed149ab837d110955a9fc/angus-activation-2.0.2.jar MD5: 42bba74155dc773eca277ee7a16f74be SHA1: 41f1e0ddd157c856926ed149ab837d110955a9fc SHA256:6dd3bcffc22bce83b07376a0e2e094e4964a3195d4118fb43e380ef35436cc1e Referenced In Project/Scope: server-start:webapps angus-activation-2.0.2.jar is in the transitive dependency tree of the listed items.Included by:
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.angus/angus-mail/2.0.4/80a49d6e187788d17a23b05e375bad75f56a4a92/angus-mail-2.0.4.jar MD5: 5e39c666abac5e0c7837894606af28b8 SHA1: 80a49d6e187788d17a23b05e375bad75f56a4a92 SHA256:87301865584bad9170662b3eeef0350aaafea4522483e38e54ae87dc3df3e958 Referenced In Project/Scope: server-start:webapps angus-mail-2.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
A set of annotations used for code inspection support and code documentation.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.jetbrains/annotations/13.0/919f0dfe192fb4e063e7dacadee7f8bb9a2672a9/annotations-13.0.jar MD5: f4fb462172517b46b6cd90003508515a SHA1: 919f0dfe192fb4e063e7dacadee7f8bb9a2672a9 SHA256:ace2a10dc8e2d5fd34925ecac03e4988b2c0f851650c94b8cef49ba1bd111478 Referenced In Project/Scope: server-start:compileClasspath annotations-13.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
A set of annotations used for code inspection support and code documentation.
License:
The Apache Software License, Version 2.0: http://www.apache.org/license/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.jetbrains/annotations/16.0.3/62c7299ced2a089cc541726c6d763da9417604a0/annotations-16.0.3.jar MD5: a60b96e694740dc7dc0272d637efe978 SHA1: 62c7299ced2a089cc541726c6d763da9417604a0 SHA256:04b16e8d2309bf7771fbee16187b76f63af6ccd023cf664ec846e4e8e65c5b3f Referenced In Project/Scope: server-start:runtimeClasspath annotations-16.0.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.hk2.external/aopalliance-repackaged/3.0.6/e3c3f17b649c97155640616026bd32b1043b3c1d/aopalliance-repackaged-3.0.6.jar MD5: e07024ce0f95aa4a8797257c97fa5774 SHA1: e3c3f17b649c97155640616026bd32b1043b3c1d SHA256:a82b6d1a348324ef88dc807c7cd7aaf633985cbff7b30036fb61a1b86981d840 Referenced In Project/Scope: server-start:webapps aopalliance-repackaged-3.0.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
aopalliance-repackaged
High
Vendor
gradle
artifactid
aopalliance-repackaged
Highest
Vendor
gradle
groupid
org.glassfish.hk2.external
Highest
Vendor
jar
package name
aopalliance
Highest
Vendor
Manifest
automatic-module-name
org.aopalliance
Medium
Vendor
Manifest
build-jdk-spec
17
Low
Vendor
Manifest
bundle-docurl
http://www.oracle.com
Low
Vendor
Manifest
bundle-symbolicname
org.glassfish.hk2.external.aopalliance-repackaged
Medium
Vendor
pom
artifactid
aopalliance-repackaged
Low
Vendor
pom
groupid
org.glassfish.hk2.external
Highest
Vendor
pom
name
aopalliance version repackaged as a module
High
Vendor
pom
name
aopalliance version ${aopalliance.version} repackaged as a module
High
Vendor
pom
parent-artifactid
external
Low
Vendor
pom
parent-groupid
org.glassfish.hk2
Medium
Product
file
name
aopalliance-repackaged
High
Product
gradle
artifactid
aopalliance-repackaged
Highest
Product
jar
package name
aopalliance
Highest
Product
Manifest
automatic-module-name
org.aopalliance
Medium
Product
Manifest
build-jdk-spec
17
Low
Product
Manifest
bundle-docurl
http://www.oracle.com
Low
Product
Manifest
Bundle-Name
aopalliance version 1.0 repackaged as a module
Medium
Product
Manifest
bundle-symbolicname
org.glassfish.hk2.external.aopalliance-repackaged
Medium
Product
pom
artifactid
aopalliance-repackaged
Highest
Product
pom
groupid
org.glassfish.hk2.external
Highest
Product
pom
name
aopalliance version repackaged as a module
High
Product
pom
name
aopalliance version ${aopalliance.version} repackaged as a module
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/software.amazon.awssdk/apache-client/2.26.30/4bc6cd588501005d1bd222eba6b934b4918542ad/apache-client-2.26.30.jar MD5: 60da56a9cbc4aa2bc862de8a7b090aa2 SHA1: 4bc6cd588501005d1bd222eba6b934b4918542ad SHA256:971284e89d83ee7815b445c8b0eb921011b26d439d789bfea68c8de4db8713bf Referenced In Project/Scope: server-start:runtimeClasspath apache-client-2.26.30.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message.
This can be exploited by an attacker to add unintended headers to MIME messages.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.ow2.asm/asm/9.7/73d7b3086e14beb604ced229c302feff6449723/asm-9.7.jar MD5: 3957b18bf02a62edcb6726d074b90b08 SHA1: 073d7b3086e14beb604ced229c302feff6449723 SHA256:adf46d5e34940bdf148ecdd26a9ee8eea94496a72034ff7141066b3eea5c4e9d Referenced In Project/Scope: server-start:jacocoAnt asm-9.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.jacoco/org.jacoco.ant@0.8.12
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
asm
High
Vendor
gradle
artifactid
asm
Highest
Vendor
gradle
groupid
org.ow2.asm
Highest
Vendor
jar
package name
asm
Highest
Vendor
jar
package name
asm
Low
Vendor
jar
package name
objectweb
Highest
Vendor
jar
package name
objectweb
Low
Vendor
Manifest
bundle-docurl
http://asm.ow2.org
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Vendor
Manifest
bundle-symbolicname
org.objectweb.asm
Medium
Vendor
pom
artifactid
asm
Low
Vendor
pom
developer email
ebruneton@free.fr
Low
Vendor
pom
developer email
eu@javatx.org
Low
Vendor
pom
developer email
forax@univ-mlv.fr
Low
Vendor
pom
developer id
ebruneton
Medium
Vendor
pom
developer id
eu
Medium
Vendor
pom
developer id
forax
Medium
Vendor
pom
developer name
Eric Bruneton
Medium
Vendor
pom
developer name
Eugene Kuleshov
Medium
Vendor
pom
developer name
Remi Forax
Medium
Vendor
pom
groupid
org.ow2.asm
Highest
Vendor
pom
name
asm
High
Vendor
pom
organization name
OW2
High
Vendor
pom
organization url
http://www.ow2.org/
Medium
Vendor
pom
parent-artifactid
ow2
Low
Vendor
pom
parent-groupid
org.ow2
Medium
Vendor
pom
url
http://asm.ow2.io/
Highest
Product
file
name
asm
High
Product
gradle
artifactid
asm
Highest
Product
jar
package name
asm
Highest
Product
jar
package name
asm
Low
Product
jar
package name
objectweb
Highest
Product
Manifest
bundle-docurl
http://asm.ow2.org
Low
Product
Manifest
Bundle-Name
org.objectweb.asm
Medium
Product
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Product
Manifest
bundle-symbolicname
org.objectweb.asm
Medium
Product
Manifest
Implementation-Title
ASM, a very small and fast Java bytecode manipulation framework
High
Product
pom
artifactid
asm
Highest
Product
pom
developer email
ebruneton@free.fr
Low
Product
pom
developer email
eu@javatx.org
Low
Product
pom
developer email
forax@univ-mlv.fr
Low
Product
pom
developer id
ebruneton
Low
Product
pom
developer id
eu
Low
Product
pom
developer id
forax
Low
Product
pom
developer name
Eric Bruneton
Low
Product
pom
developer name
Eugene Kuleshov
Low
Product
pom
developer name
Remi Forax
Low
Product
pom
groupid
org.ow2.asm
Highest
Product
pom
name
asm
High
Product
pom
organization name
OW2
Low
Product
pom
organization url
http://www.ow2.org/
Low
Product
pom
parent-artifactid
ow2
Medium
Product
pom
parent-groupid
org.ow2
Medium
Product
pom
url
http://asm.ow2.io/
Medium
Version
file
version
9.7
High
Version
gradle
version
9.7
Highest
Version
Manifest
Bundle-Version
9.7
High
Version
Manifest
Implementation-Version
9.7
High
Version
pom
parent-version
9.7
Low
Version
pom
version
9.7
Highest
Identifiers
pkg:maven/org.ow2.asm/asm@9.7 (Confidence:High)
asm-9.8.jar
Description:
ASM, a very small and fast Java bytecode manipulation framework
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.ow2.asm/asm/9.8/dc19ecb3f7889b7860697215cae99c0f9b6f6b4b/asm-9.8.jar MD5: f5adf3bfc54fb3d2cd8e3a1f275084bc SHA1: dc19ecb3f7889b7860697215cae99c0f9b6f6b4b SHA256:876eab6a83daecad5ca67eb9fcabb063c97b5aeb8cf1fca7a989ecde17522051 Referenced In Project/Scope: server-start:webapps asm-9.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
asm
High
Vendor
gradle
artifactid
asm
Highest
Vendor
gradle
groupid
org.ow2.asm
Highest
Vendor
jar
package name
asm
Highest
Vendor
jar
package name
asm
Low
Vendor
jar
package name
objectweb
Highest
Vendor
jar
package name
objectweb
Low
Vendor
Manifest
bundle-docurl
http://asm.ow2.org
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Vendor
Manifest
bundle-symbolicname
org.objectweb.asm
Medium
Vendor
pom
artifactid
asm
Low
Vendor
pom
developer email
ebruneton@free.fr
Low
Vendor
pom
developer email
eu@javatx.org
Low
Vendor
pom
developer email
forax@univ-mlv.fr
Low
Vendor
pom
developer id
ebruneton
Medium
Vendor
pom
developer id
eu
Medium
Vendor
pom
developer id
forax
Medium
Vendor
pom
developer name
Eric Bruneton
Medium
Vendor
pom
developer name
Eugene Kuleshov
Medium
Vendor
pom
developer name
Remi Forax
Medium
Vendor
pom
groupid
org.ow2.asm
Highest
Vendor
pom
name
asm
High
Vendor
pom
organization name
OW2
High
Vendor
pom
organization url
http://www.ow2.org/
Medium
Vendor
pom
parent-artifactid
ow2
Low
Vendor
pom
parent-groupid
org.ow2
Medium
Vendor
pom
url
http://asm.ow2.io/
Highest
Product
file
name
asm
High
Product
gradle
artifactid
asm
Highest
Product
jar
package name
asm
Highest
Product
jar
package name
asm
Low
Product
jar
package name
objectweb
Highest
Product
Manifest
bundle-docurl
http://asm.ow2.org
Low
Product
Manifest
Bundle-Name
org.objectweb.asm
Medium
Product
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Product
Manifest
bundle-symbolicname
org.objectweb.asm
Medium
Product
Manifest
Implementation-Title
ASM, a very small and fast Java bytecode manipulation framework
High
Product
pom
artifactid
asm
Highest
Product
pom
developer email
ebruneton@free.fr
Low
Product
pom
developer email
eu@javatx.org
Low
Product
pom
developer email
forax@univ-mlv.fr
Low
Product
pom
developer id
ebruneton
Low
Product
pom
developer id
eu
Low
Product
pom
developer id
forax
Low
Product
pom
developer name
Eric Bruneton
Low
Product
pom
developer name
Eugene Kuleshov
Low
Product
pom
developer name
Remi Forax
Low
Product
pom
groupid
org.ow2.asm
Highest
Product
pom
name
asm
High
Product
pom
organization name
OW2
Low
Product
pom
organization url
http://www.ow2.org/
Low
Product
pom
parent-artifactid
ow2
Medium
Product
pom
parent-groupid
org.ow2
Medium
Product
pom
url
http://asm.ow2.io/
Medium
Version
file
version
9.8
High
Version
gradle
version
9.8
Highest
Version
Manifest
Bundle-Version
9.8
High
Version
Manifest
Implementation-Version
9.8
High
Version
pom
parent-version
9.8
Low
Version
pom
version
9.8
Highest
Identifiers
pkg:maven/org.ow2.asm/asm@9.8 (Confidence:High)
asm-9.9.1.jar
Description:
ASM, a very small and fast Java bytecode manipulation framework
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.ow2.asm/asm-commons/9.7/e86dda4696d3c185fcc95d8d311904e7ce38a53f/asm-commons-9.7.jar MD5: 53a46610df6a8dbc4ff85b8fd4cdea66 SHA1: e86dda4696d3c185fcc95d8d311904e7ce38a53f SHA256:389bc247958e049fc9a0408d398c92c6d370c18035120395d4cba1d9d9304b7a Referenced In Project/Scope: server-start:jacocoAnt asm-commons-9.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.jacoco/org.jacoco.ant@0.8.12
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.ow2.asm/asm-tree/9.7/e446a17b175bfb733b87c5c2560ccb4e57d69f1a/asm-tree-9.7.jar MD5: ea5cad3e0cbd2520688e4b0b5c4218e7 SHA1: e446a17b175bfb733b87c5c2560ccb4e57d69f1a SHA256:62f4b3bc436045c1acb5c3ba2d8ec556ec3369093d7f5d06c747eb04b56d52b1 Referenced In Project/Scope: server-start:jacocoAnt asm-tree-9.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.jacoco/org.jacoco.ant@0.8.12
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
asm-tree
High
Vendor
gradle
artifactid
asm-tree
Highest
Vendor
gradle
groupid
org.ow2.asm
Highest
Vendor
jar
package name
asm
Highest
Vendor
jar
package name
asm
Low
Vendor
jar
package name
objectweb
Highest
Vendor
jar
package name
objectweb
Low
Vendor
jar
package name
tree
Highest
Vendor
jar
package name
tree
Low
Vendor
Manifest
bundle-docurl
http://asm.ow2.org
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Vendor
Manifest
bundle-symbolicname
org.objectweb.asm.tree
Medium
Vendor
Manifest
module-requires
org.objectweb.asm;transitive=true
Low
Vendor
pom
artifactid
asm-tree
Low
Vendor
pom
developer email
ebruneton@free.fr
Low
Vendor
pom
developer email
eu@javatx.org
Low
Vendor
pom
developer email
forax@univ-mlv.fr
Low
Vendor
pom
developer id
ebruneton
Medium
Vendor
pom
developer id
eu
Medium
Vendor
pom
developer id
forax
Medium
Vendor
pom
developer name
Eric Bruneton
Medium
Vendor
pom
developer name
Eugene Kuleshov
Medium
Vendor
pom
developer name
Remi Forax
Medium
Vendor
pom
groupid
org.ow2.asm
Highest
Vendor
pom
name
asm-tree
High
Vendor
pom
organization name
OW2
High
Vendor
pom
organization url
http://www.ow2.org/
Medium
Vendor
pom
parent-artifactid
ow2
Low
Vendor
pom
parent-groupid
org.ow2
Medium
Vendor
pom
url
http://asm.ow2.io/
Highest
Product
file
name
asm-tree
High
Product
gradle
artifactid
asm-tree
Highest
Product
jar
package name
asm
Highest
Product
jar
package name
asm
Low
Product
jar
package name
objectweb
Highest
Product
jar
package name
tree
Highest
Product
jar
package name
tree
Low
Product
Manifest
bundle-docurl
http://asm.ow2.org
Low
Product
Manifest
Bundle-Name
org.objectweb.asm.tree
Medium
Product
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Product
Manifest
bundle-symbolicname
org.objectweb.asm.tree
Medium
Product
Manifest
Implementation-Title
Tree API of ASM, a very small and fast Java bytecode manipulation framework
The AWS SDK for Java - Core runtime module holds the classes that are used by the individual service
clients to interact with
Amazon Web Services. Users need to depend on aws-java-sdk artifact for accessing individual client classes.
Contains deprecated classes that will disappear in the next major release.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.ws.commons.axiom/axiom-compat/1.4.0/a69be40ff5a8b6b69a46745fef6d9524d19f40d6/axiom-compat-1.4.0.jar MD5: 9c438ea8c661025f79503b71ef46c3e1 SHA1: a69be40ff5a8b6b69a46745fef6d9524d19f40d6 SHA256:8e0e94055c40cac38f7773bde5ee6b1c8d91684c317e34def27e17642b7c2bf5 Referenced In Project/Scope: server-start:runtimeClasspath axiom-compat-1.4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.ws.commons.axiom/axiom-dom/1.4.0/ce6d6347785e4d29234f10502af0f468fe8f3cd5/axiom-dom-1.4.0.jar MD5: ebd5980bf365d24311a1282738e663ac SHA1: ce6d6347785e4d29234f10502af0f468fe8f3cd5 SHA256:07da590bac8c900680e871ade45ecc2bacfc578c368fdb849c028802009864ad Referenced In Project/Scope: server-start:runtimeClasspath axiom-dom-1.4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.ws.commons.axiom/axiom-impl/1.4.0/328594317d79ce5c071af6625657982662867a04/axiom-impl-1.4.0.jar MD5: 0d7624f016a8ab4cd6f9b34b3f9ad88f SHA1: 328594317d79ce5c071af6625657982662867a04 SHA256:cba1998d5cb436fd979b3ad1ea82e5301006ee8f70e39ff65abe0725c642cfd8 Referenced In Project/Scope: server-start:runtimeClasspath axiom-impl-1.4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-adb/1.8.2/b5524059212283592bf31a5da19a170ca87c23f/axis2-adb-1.8.2.jar MD5: fdd109781c4ee541fecc9833dd337809 SHA1: 0b5524059212283592bf31a5da19a170ca87c23f SHA256:ed298ba22672768b31bf07f12c7744062faf7355982e4dbe3079ee1064b0b824 Referenced In Project/Scope: server-start:runtimeClasspath axis2-adb-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-adb-codegen/1.8.2/4cb7ca75a1bf607c10c8a82f9ae94327e6eafc8/axis2-adb-codegen-1.8.2.jar MD5: 234a8737f304555ed8136f45c57dd9fc SHA1: 04cb7ca75a1bf607c10c8a82f9ae94327e6eafc8 SHA256:dd9457b6d510cb96a312b6a2d43baeaa88e759b85a40447c2987f25e064527aa Referenced In Project/Scope: server-start:runtimeClasspath axis2-adb-codegen-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-codegen/1.8.2/43e17c3ae89048ed4923bd913f2267f4443866/axis2-codegen-1.8.2.jar MD5: a2cc1b3e3839dd75f90fdd5ec7a7db40 SHA1: 0043e17c3ae89048ed4923bd913f2267f4443866 SHA256:e41353debf123e82e37d47ae0e1bee3f3dc7abc201c5adc88dc37050e06d9136 Referenced In Project/Scope: server-start:runtimeClasspath axis2-codegen-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-corba/1.8.2/56ccbd9954703f525452ea37c8c83a3c2227fbe5/axis2-corba-1.8.2.jar MD5: 60c0b5b99ade8fbb6a396a6bc4d141f2 SHA1: 56ccbd9954703f525452ea37c8c83a3c2227fbe5 SHA256:8e74d42b07499c9b68fb088f54ddcf282a33aa5b67540b80e1a310eb7c86078b Referenced In Project/Scope: server-start:runtimeClasspath axis2-corba-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-fastinfoset/1.8.2/de14899147264d7c8040f1f2a5ddc4598ab53ed0/axis2-fastinfoset-1.8.2.jar MD5: 939d14b9e89fd3a3b78aa91cfe1c3799 SHA1: de14899147264d7c8040f1f2a5ddc4598ab53ed0 SHA256:f877355bc8b24477c2cb490ae7d39d52fe85d362443984bb241c59cc3e2ac6cb Referenced In Project/Scope: server-start:runtimeClasspath axis2-fastinfoset-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-java2wsdl/1.8.2/38b8881f89bde6e3508e613c715dab8b816f7446/axis2-java2wsdl-1.8.2.jar MD5: e62fc1438a2e2bdcbd0f1fad95e8b1aa SHA1: 38b8881f89bde6e3508e613c715dab8b816f7446 SHA256:3cd3bb186cb7f74b12ad1eacb380d7c8de31766004c20a5aa2499b6d68712e03 Referenced In Project/Scope: server-start:runtimeClasspath axis2-java2wsdl-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-jaxbri-codegen/1.8.2/84661a7972ef9395cb9c42926a5f3eb13aac3bdd/axis2-jaxbri-codegen-1.8.2.jar MD5: 26f3a65c127c0d87e7863cabd9739ceb SHA1: 84661a7972ef9395cb9c42926a5f3eb13aac3bdd SHA256:3ce6b4f65b2d33ad35dfec78741ae342f7724a391591b5b5ea05618ce82dea69 Referenced In Project/Scope: server-start:runtimeClasspath axis2-jaxbri-codegen-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-jaxws/1.8.2/232ba53b69cad5c83e2fd9e0e628298fb453cf3d/axis2-jaxws-1.8.2.jar MD5: 63df9299b4c2dcda4d231d75b6c489c6 SHA1: 232ba53b69cad5c83e2fd9e0e628298fb453cf3d SHA256:cbdaae912142a0a43fce2c3bd2a19dd46552bc753c9a500b180c7b0fd127c1a6 Referenced In Project/Scope: server-start:runtimeClasspath axis2-jaxws-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-jibx/1.8.2/4ee416dfcda8d9dbd7f831eff633b4a7b0430586/axis2-jibx-1.8.2.jar MD5: 4cb5ab7fb08251ff6eb3b53b499c334b SHA1: 4ee416dfcda8d9dbd7f831eff633b4a7b0430586 SHA256:592971b1c1d87613482ad245d9d5063a68c89593b41cec80525c4331dd70ab9b Referenced In Project/Scope: server-start:runtimeClasspath axis2-jibx-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-metadata/1.8.2/4de456dc1858db5c343e2bbedbb108da5c320558/axis2-metadata-1.8.2.jar MD5: 160b9c5e619d033475e98ec521f73df2 SHA1: 4de456dc1858db5c343e2bbedbb108da5c320558 SHA256:5fabf9c9b4b5768206bc95b7a34848e7ee152be9de68949f5b2af24eeb676ad9 Referenced In Project/Scope: server-start:runtimeClasspath axis2-metadata-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-saaj/1.8.2/5ffe4fa423d9cddff83cb72a9e823f61555144be/axis2-saaj-1.8.2.jar MD5: 3db2089d52ec1f9b8334ef7a5f411ad9 SHA1: 5ffe4fa423d9cddff83cb72a9e823f61555144be SHA256:641070cc8c600e3872092f5af76988835e55909c513b8388d35e292a31d386fb Referenced In Project/Scope: server-start:runtimeClasspath axis2-saaj-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-soapmonitor-servlet/1.8.2/3b05be662ffee017962e2af2eb4f6f679d370c05/axis2-soapmonitor-servlet-1.8.2.jar MD5: ca5a9ed9b8f039abeac16bc1ec9964b5 SHA1: 3b05be662ffee017962e2af2eb4f6f679d370c05 SHA256:599c28b80609205743286cd50fa5112bf6f33d96b2194764c118af2e0d71433f Referenced In Project/Scope: server-start:runtimeClasspath axis2-soapmonitor-servlet-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-transport-base/1.8.2/d44d4f765f8c5a49ba35fa5ffe53c2b50302d3de/axis2-transport-base-1.8.2.jar MD5: ac71fb412d0569b6bcf18cef672ae153 SHA1: d44d4f765f8c5a49ba35fa5ffe53c2b50302d3de SHA256:b897a865489a374a4d45a4dbbb5a79e9348b8b95e2a64386e7d4271388c13b4d Referenced In Project/Scope: server-start:runtimeClasspath axis2-transport-base-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-transport-jms/1.8.2/ad1b97bbe591c1baeadb99a7a3b6142e0a905b87/axis2-transport-jms-1.8.2.jar MD5: 4e8a441201d85d9d4c6c03471d6f831a SHA1: ad1b97bbe591c1baeadb99a7a3b6142e0a905b87 SHA256:36c36b7d952f26c74a17e5508a21139a659d716ff895605c1d6ba4fcaaeb2e43 Referenced In Project/Scope: server-start:runtimeClasspath axis2-transport-jms-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-transport-local/1.8.2/dcb081b09a74099f1984673e0a6bd4a0a201937f/axis2-transport-local-1.8.2.jar MD5: f3309955aadc0e594da94e86171c7aa6 SHA1: dcb081b09a74099f1984673e0a6bd4a0a201937f SHA256:e7508c7883d52192511a389d45d237f0bed15afc9e25ef9cdc8a45bbebf7058c Referenced In Project/Scope: server-start:runtimeClasspath axis2-transport-local-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-transport-mail/1.8.2/c10a6989b99b37fbc7c539a3a485912d6e50e664/axis2-transport-mail-1.8.2.jar MD5: c94f0fea50463da2d0a066cbf9a667c3 SHA1: c10a6989b99b37fbc7c539a3a485912d6e50e664 SHA256:a085708bfa7d0115572f53b91af45816863b2479624174a816f3e52e697387c2 Referenced In Project/Scope: server-start:runtimeClasspath axis2-transport-mail-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-transport-tcp/1.8.2/9de3b387839a75ba7f4e104c27bad7959e4ddbcb/axis2-transport-tcp-1.8.2.jar MD5: cc0981794bcce2ed0f01e7aad8bb4e95 SHA1: 9de3b387839a75ba7f4e104c27bad7959e4ddbcb SHA256:3970c698005ab3d3a8902906444b04233b3918b26e9f6d6030fcda2ad6e806f6 Referenced In Project/Scope: server-start:runtimeClasspath axis2-transport-tcp-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-transport-udp/1.8.2/654da73f59c64e694ae13d2811bf3ded04dbfe9c/axis2-transport-udp-1.8.2.jar MD5: 264ae2ec85cec1b8a205e9a34a184ad5 SHA1: 654da73f59c64e694ae13d2811bf3ded04dbfe9c SHA256:eda14a611623e129e4978b75033167b5894064ed6fdaa5b94900b9e5b5d15121 Referenced In Project/Scope: server-start:runtimeClasspath axis2-transport-udp-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-transport-xmpp/1.8.2/c825cee68e03372a18b8108aff4b70789508d27d/axis2-transport-xmpp-1.8.2.jar MD5: a9994ec4dbdb4c9a88860f9701787c6e SHA1: c825cee68e03372a18b8108aff4b70789508d27d SHA256:98be29abde7038efc717325eddfb28540467b4b0c1b87a2e507a8ad0ccdb2e8f Referenced In Project/Scope: server-start:runtimeClasspath axis2-transport-xmpp-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.axis2/axis2-xmlbeans/1.8.2/715ac0b934fc83597be5466631ea3e9592049272/axis2-xmlbeans-1.8.2.jar MD5: 07cfe72d45bbe72b6862bb17cc864f0f SHA1: 715ac0b934fc83597be5466631ea3e9592049272 SHA256:af059f743ef568b315343e84b974f16bd8a154fa834bdea194fab712ebb60702 Referenced In Project/Scope: server-start:runtimeClasspath axis2-xmlbeans-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
The Bouncy Castle Java S/MIME APIs for handling S/MIME protocols. This jar contains S/MIME APIs for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. The JavaMail API and the Java activation framework will also be needed.
Spongy Castle is a package-rename (org.bouncycastle.* to org.spongycastle.*) of Bouncy Castle
intended for the Android platform. Android unfortunately ships with a stripped-down version of
Bouncy Castle, which prevents easy upgrades - Spongy Castle overcomes this and provides a full,
up-to-date version of the Bouncy Castle cryptographic libs.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.madgag.spongycastle/bcpkix-jdk15on/1.58.0.0/a0502b8f7dcd70612c0f5be77f3cd76e4665d268/bcpkix-jdk15on-1.58.0.0.jar MD5: 9df80baea46f7f6d4bb773801e2f6b99 SHA1: a0502b8f7dcd70612c0f5be77f3cd76e4665d268 SHA256:89b776cc46caf6f9c29de3fdfe3aad06313b05646778a60873fcfd41f09a87ce Referenced In Project/Scope: server-start:runtimeClasspath bcpkix-jdk15on-1.58.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.adapters/opcua-adapter@unspecified
The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.
library for reading/writing non-octet aligned values
License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.github.jinahya/bit-io/1.4.3/46abf1c2d8af5e1d2e1cad7e7c64bd9822a88656/bit-io-1.4.3.jar MD5: 4bac73c8be3680928158794389d22a3e SHA1: 46abf1c2d8af5e1d2e1cad7e7c64bd9822a88656 SHA256:a72ab0e8eb9f86d2d5db7b57d7772023f171e58ce74821f9f47a506f9afdccbe Referenced In Project/Scope: server-start:runtimeClasspath bit-io-1.4.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
The Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.mongodb/bson/5.6.4/57f50acb18b1d9c953f80a685d8c72698eb8c92a/bson-5.6.4.jar MD5: b752694441c61feb4c18b4377cea5f8a SHA1: 57f50acb18b1d9c953f80a685d8c72698eb8c92a SHA256:2ac120779879b262e3f65ac4e94105bd439ad33511f783846c1fe8278d6541f8 Referenced In Project/Scope: server-start:runtimeClasspath bson-5.6.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
The Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.mongodb/bson-record-codec/5.6.4/b3381732c44aaba3582d142e10e96d2a880281b3/bson-record-codec-5.6.4.jar MD5: 9ae2940d1df485cbe9145590f43d5450 SHA1: b3381732c44aaba3582d142e10e96d2a880281b3 SHA256:4c75d0a88cf71bef3c8db61355b199bffb733d3100580cf12caa4966e088c780 Referenced In Project/Scope: server-start:runtimeClasspath bson-record-codec-5.6.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/javax.cache/cache-api/1.1.0/77bdcff7814076dfa61611b0db88487c515150b6/cache-api-1.1.0.jar MD5: ac907ad12e9a7ac5d41abf703855002f SHA1: 77bdcff7814076dfa61611b0db88487c515150b6 SHA256:6c980ad1ae4a6dda3bdb62986c3ef5b41ccf766e12353587ee4e4307e27e155a Referenced In Project/Scope: server-start:webapps cache-api-1.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
checker-qual contains annotations (type qualifiers) that a programmer
writes to specify Java code for type-checking by the Checker Framework.
License:
The MIT License: http://opensource.org/licenses/MIT
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.checkerframework/checker-qual/3.43.0/9425eee39e56b116d2b998b7c2cebcbd11a3c98b/checker-qual-3.43.0.jar MD5: 4f56e65c8f302ca8b4cb384c9b4a53b6 SHA1: 9425eee39e56b116d2b998b7c2cebcbd11a3c98b SHA256:3fbc2e98f05854c3df16df9abaa955b91b15b3ecac33623208ed6424640ef0f6 Referenced In Project/Scope: server-start:webapps checker-qual-3.43.0.jar is in the transitive dependency tree of the listed items.Included by:
The uber-fast, ultra-lightweight classpath and module scanner for JVM languages.
License:
The MIT License (MIT): http://opensource.org/licenses/MIT
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.github.classgraph/classgraph/4.8.184/a4f7ddec0f831dcf7ec3db32ae2c7e628c89f1a6/classgraph-4.8.184.jar MD5: f17699e5f6be5a692cde649b5d97b3a1 SHA1: a4f7ddec0f831dcf7ec3db32ae2c7e628c89f1a6 SHA256:6e564e29cec95a392268a609f09071d56199383d906ac70e91753a7998d1a3e8 Referenced In Project/Scope: server-start:webapps classgraph-4.8.184.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jaxb/codemodel/2.3.6/4473f359afb95b57935cd8fa3b071bd73371632c/codemodel-2.3.6.jar MD5: 6398352cf3ba0f9b32d0d1e93f6dae33 SHA1: 4473f359afb95b57935cd8fa3b071bd73371632c SHA256:8f1afd4e2027af351353598a5643fae148593cb6a931270724a7e47a741013b4 Referenced In Project/Scope: server-start:runtimeClasspath codemodel-2.3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.transconnect.connector/command-local-connector/0.9.7/ca1d7331fa3e76b5cf7244cc4eea850ae24b6222/command-local-connector-0.9.7-classes.jar MD5: e473ffac0429ea9735a6395ed5e0df36 SHA1: ca1d7331fa3e76b5cf7244cc4eea850ae24b6222 SHA256:68bb678a07eb225d792fc3777e6fe704fc2cfa04c5038e700c376eb547dde46a Referenced In Project/Scope: server-start:compileClasspath command-local-connector-0.9.7-classes.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server-start@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.transconnect.connector/command-local-connector/0.9.7/d680bfd369d6c065c4883af2f263ec5ef36801bf/command-local-connector-0.9.7.war MD5: 43f9f276dba8e3917b72bde1343579e2 SHA1: d680bfd369d6c065c4883af2f263ec5ef36801bf SHA256:7a1cd3b2ad04fa3c04c8c57361d012e84c981bc70bb5262a65107b3457759257 Referenced In Project/Scope: server-start:webapps command-local-connector-0.9.7.war is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server-start@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.transconnect.connector/command-ssh-connector/0.9.6/9c5c87baa7e91681aff89e9a969e95081654e799/command-ssh-connector-0.9.6-classes.jar MD5: 9c5b121d1e8e020da65786b9789750c5 SHA1: 9c5c87baa7e91681aff89e9a969e95081654e799 SHA256:96bbd79d9c273d9429bda3487d5bd1d493069357f87acbb7a31c6fc91710e555 Referenced In Project/Scope: server-start:compileClasspath command-ssh-connector-0.9.6-classes.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server-start@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.transconnect.connector/command-ssh-connector/0.9.6/742f5cc926b691cfc00f64aea584a897862d9dc5/command-ssh-connector-0.9.6.war MD5: 53f2d9585335fcf0c41e7bd76411598b SHA1: 742f5cc926b691cfc00f64aea584a897862d9dc5 SHA256:4faf1d978512e62cf52ffe87f4965ce0350459d360adde3c5d8251f994f2910b Referenced In Project/Scope: server-start:webapps command-ssh-connector-0.9.6.war is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server-start@unspecified
Contains
com.google.common.util.concurrent.internal.InternalFutureFailureAccess and
InternalFutures. Most users will never need to use this artifact. Its
classes is conceptually a part of Guava, but they're in this separate
artifact so that Android libraries can use them without pulling in all of
Guava (just as they can use ListenableFuture by depending on the
listenablefuture artifact).
The Apache Commons Codec component contains encoders and decoders for
various formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
The Apache Commons Codec component contains encoders and decoders for
formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/commons-codec/commons-codec/1.19.0/8c0dbe3ae883fceda9b50a6c76e745e548073388/commons-codec-1.19.0.jar MD5: e46fa78c69544eb6239c4e8447e72544 SHA1: 8c0dbe3ae883fceda9b50a6c76e745e548073388 SHA256:5c3881e4f556855e9c532927ee0c9dfde94cc66760d5805c031a59887070af5f Referenced In Project/Scope: server-start:runtimeClasspath commons-codec-1.19.0.jar is in the transitive dependency tree of the listed items.Included by:
Apache Commons Compress defines an API for working with
compression and archive formats. These include bzip2, gzip, pack200,
LZMA, XZ, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
The Apache Commons FileUpload Core component provides the framework for a simple yet flexible means of adding support for multipart
file upload functionality to servlets, portlets, and web applications.
The Apache Commons FileUpload Jakarta component provides a simple yet flexible means of adding support for multipart
file upload functionality to Jakarta servlets and web applications.
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/commons-io/commons-io/2.18.0/44084ef756763795b31c578403dd028ff4a22950/commons-io-2.18.0.jar MD5: 8cce74ccf461cd6502ae04c908eca917 SHA1: 44084ef756763795b31c578403dd028ff4a22950 SHA256:f3ca0f8d63c40e23a56d54101c60d5edee136b42d84bfb85bc7963093109cf8b Referenced In Project/Scope: server-start:webapps commons-io-2.18.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
The code is tested using the latest revision of the JDK for supported
LTS releases: 8, 11, 17 and 21 currently.
See https://github.com/apache/commons-lang/blob/master/.github/workflows/maven.yml
Please ensure your build environment is up-to-date and kindly report any build issues.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.commons/commons-lang3/3.16.0/3eb54effe40946dfb06dc5cd6c7ce4116cd51ea4/commons-lang3-3.16.0.jar MD5: 67bc6dbd753fc276d69aeb4cfa205e15 SHA1: 3eb54effe40946dfb06dc5cd6c7ce4116cd51ea4 SHA256:08709dd74d602b705ce4017d26544210056a4ba583d5b20c09373406fe7a00f8 Referenced In Project/Scope: server-start:compileClasspath commons-lang3-3.16.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
The code is tested using the latest revision of the JDK for supported
LTS releases: 8, 11, 17 and 21 currently.
See https://github.com/apache/commons-lang/blob/master/.github/workflows/maven.yml
Please ensure your build environment is up-to-date and kindly report any build issues.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/commons-logging/commons-logging/1.3.4/b9fc14968d63a8b8a8a2c1885fe3e90564239708/commons-logging-1.3.4.jar MD5: e7a1e7cb6a89241ed9bfec4c25b6c645 SHA1: b9fc14968d63a8b8a8a2c1885fe3e90564239708 SHA256:bc2dfe32f1ef06509e6a065144c1adf7b420eabf11a87f30bd127f8faa332016 Referenced In Project/Scope: server-start:runtimeClasspath commons-logging-1.3.4.jar is in the transitive dependency tree of the listed items.Included by:
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/commons-logging/commons-logging/1.3.5/a3fcc5d3c29b2b03433aa2d2f2d2c1b1638924a1/commons-logging-1.3.5.jar MD5: 9ca067b073153c86c2da350c0f2cdf70 SHA1: a3fcc5d3c29b2b03433aa2d2f2d2c1b1638924a1 SHA256:6d7a744e4027649fbb50895df9497d109f98c766a637062fe8d2eabbb3140ba4 Referenced In Project/Scope: server-start:compileClasspath commons-logging-1.3.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
The Apache Commons Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.conscrypt/conscrypt-openjdk-uber/2.5.2/d858f142ea189c62771c505a6548d8606ac098fe/conscrypt-openjdk-uber-2.5.2.jar MD5: 34c8ec40831d77372b2bea95139783b0 SHA1: d858f142ea189c62771c505a6548d8606ac098fe SHA256:eaf537d98e033d0f0451cd1b8cc74e02d7b55ec882da63c88060d806ba89c348 Referenced In Project/Scope: server-start:runtimeClasspath conscrypt-openjdk-uber-2.5.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
A Retrofit Converter which uses Gson for serialization.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.squareup.retrofit2/converter-gson/2.9.0/fc93484fc67ab52b1e0ccbdaa3922d8a6678e097/converter-gson-2.9.0.jar MD5: a4d032098e196d2735c1cff92968ab20 SHA1: fc93484fc67ab52b1e0ccbdaa3922d8a6678e097 SHA256:32aa206b9a29c9df5eda93a092cfb3b0b9133e232c062baa882f0319f0e79f0e Referenced In Project/Scope: server-start:runtimeClasspath converter-gson-2.9.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Spongy Castle is a package-rename (org.bouncycastle.* to org.spongycastle.*) of Bouncy Castle
intended for the Android platform. Android unfortunately ships with a stripped-down version of
Bouncy Castle, which prevents easy upgrades - Spongy Castle overcomes this and provides a full,
up-to-date version of the Bouncy Castle cryptographic libs.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.madgag.spongycastle/core/1.58.0.0/e08789f8f1e74f155db8b69c3575b5cb213c156c/core-1.58.0.0.jar MD5: 1a51c2d5dd9f788e14bd9358718994ea SHA1: e08789f8f1e74f155db8b69c3575b5cb213c156c SHA256:199617dd5698c5a9312b898c0a4cec7ce9dd8649d07f65d91629f58229d72728 Referenced In Project/Scope: server-start:runtimeClasspath core-1.58.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.adapters/opcua-adapter@unspecified
The spectacular complement to the Bouncy Castle crypto API for Java.
License:
Apache 2: https://www.apache.org/licenses/LICENSE-2.0.txt
GNU Lesser General Public License: https://www.gnu.org/licenses/lgpl-3.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.cryptacular/cryptacular/1.2.7/8e2849cd0cc8856899c1190ec8bc9f261fb215e/cryptacular-1.2.7.jar MD5: 9171ea0e9f71e98984def0861f5a9a7b SHA1: 08e2849cd0cc8856899c1190ec8bc9f261fb215e SHA256:fd5e655cc48c2c4568d8a40770dc07442316d61bcc1c24f199b84deee7e4f727 Referenced In Project/Scope: server-start:webapps cryptacular-1.2.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
Implementation of various mathematical curves that define themselves over a set of control points. The API is written in Java. The curves supported are: Bezier, B-Spline, Cardinal Spline, Catmull-Rom Spline, Lagrange, Natural Cubic Spline, and NURBS.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-core/4.1.3/9a499cf61c9a6e1bc533bdfef26b202e91187ef/cxf-core-4.1.3.jar MD5: 5538cfb8358d6043d7b8c69badfc7939 SHA1: 09a499cf61c9a6e1bc533bdfef26b202e91187ef SHA256:aa4699bd27b916285a8c07e444ab6cb462e094aa53cf8646acadef79fcdb7165 Referenced In Project/Scope: server-start:webapps cxf-core-4.1.3.jar is in the transitive dependency tree of the listed items.Included by:
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-bindings-soap/4.1.3/dbdbbe48c8e7776fdbce9f2dede4ebb8c2a5af7d/cxf-rt-bindings-soap-4.1.3.jar MD5: 9f488dbcbe3a463bc2448ebe3529d1cd SHA1: dbdbbe48c8e7776fdbce9f2dede4ebb8c2a5af7d SHA256:c67ad59e3e59507f5dde2e15fc7ab70ce0bd61eddb85436de137067c2dde87f8 Referenced In Project/Scope: server-start:webapps cxf-rt-bindings-soap-4.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-bindings-xml/4.1.3/4489f6c0f782bfccce768d57ea2e5bcbc485ee33/cxf-rt-bindings-xml-4.1.3.jar MD5: 47ffaa294fe17675d75ca3c42c311cdd SHA1: 4489f6c0f782bfccce768d57ea2e5bcbc485ee33 SHA256:981cc1d4149370d8dce61ff7bcfee1e5e81113e9716948f257cff52715b4c2f8 Referenced In Project/Scope: server-start:webapps cxf-rt-bindings-xml-4.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-databinding-jaxb/4.1.3/3d884d64f6a942be085aeac7a172ee0141e6b840/cxf-rt-databinding-jaxb-4.1.3.jar MD5: dbe02efaa5b4cd3b1ce77b1dd6e23ee6 SHA1: 3d884d64f6a942be085aeac7a172ee0141e6b840 SHA256:0557e40d5a0a218124b536320de7f3e27b817088bfb6757d122a406ce6fa5086 Referenced In Project/Scope: server-start:webapps cxf-rt-databinding-jaxb-4.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-frontend-jaxrs/4.1.3/889baca6714d0e9fa257a4a712bf3861a18f277c/cxf-rt-frontend-jaxrs-4.1.3.jar MD5: e0a41fe98c31428df98f13442a315140 SHA1: 889baca6714d0e9fa257a4a712bf3861a18f277c SHA256:32c40f7efd104393f233522343690e6f432dfc59b83d706ad3ee83dfefd10224 Referenced In Project/Scope: server-start:webapps cxf-rt-frontend-jaxrs-4.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-frontend-jaxws/4.1.3/92962bd9181a8a40e21b14bf87a2d96f0e920d9f/cxf-rt-frontend-jaxws-4.1.3.jar MD5: 9ceaa9feadb7ce1bc5f560b0d12a4fd4 SHA1: 92962bd9181a8a40e21b14bf87a2d96f0e920d9f SHA256:6c0e493d72773e40d2edd02d0819c3bb6dc4f7f3aa6558f1979ea02dfe04ab37 Referenced In Project/Scope: server-start:webapps cxf-rt-frontend-jaxws-4.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-frontend-simple/4.1.3/973b57d25f61b5c6ee6e99479889f24376931008/cxf-rt-frontend-simple-4.1.3.jar MD5: f00eb07dd3f5931fd950b94dec6a1587 SHA1: 973b57d25f61b5c6ee6e99479889f24376931008 SHA256:4fbfaabafdf0bd722b93a5811b250163335a79ce4475bbe8aa4a835470711b09 Referenced In Project/Scope: server-start:webapps cxf-rt-frontend-simple-4.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-rs-service-description-common-openapi/4.1.3/a79b27b32a4e33975f576a6fd420897e5204ad68/cxf-rt-rs-service-description-common-openapi-4.1.3.jar MD5: 00b1ef82b9a4c579e21d5d442b6b94a7 SHA1: a79b27b32a4e33975f576a6fd420897e5204ad68 SHA256:c7ad82c11baea78f7d2e28b576ac482c35751a32693adfbf950e605876f485cb Referenced In Project/Scope: server-start:webapps cxf-rt-rs-service-description-common-openapi-4.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-rs-service-description-openapi-v3/4.1.3/635a614ebb7ae827e1596ef1ebde12556757c0df/cxf-rt-rs-service-description-openapi-v3-4.1.3.jar MD5: 2eb05cbfb66cafe7abc21f81a21e0d87 SHA1: 635a614ebb7ae827e1596ef1ebde12556757c0df SHA256:e7ae62718604176bc0504cc3d1e820533ecaba1683870f8d50fc0f0beb604c1c Referenced In Project/Scope: server-start:webapps cxf-rt-rs-service-description-openapi-v3-4.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-rs-service-description-swagger-ui/4.1.3/c51ff4d1d56bcd916be5e776712fa6d46ae49c27/cxf-rt-rs-service-description-swagger-ui-4.1.3.jar MD5: fc57e079685b355137edf9435ae5ccfd SHA1: c51ff4d1d56bcd916be5e776712fa6d46ae49c27 SHA256:2cd6003bd4c29a569f0a9d350cd2815a6d27a99dba7add705d684206622aea15 Referenced In Project/Scope: server-start:webapps cxf-rt-rs-service-description-swagger-ui-4.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-security/4.1.3/877eae8797230986b3ea84472ac2690dfc9e85f6/cxf-rt-security-4.1.3.jar MD5: be086b7699952f09379a2c0ec9fdd7c1 SHA1: 877eae8797230986b3ea84472ac2690dfc9e85f6 SHA256:818b5f33c82828c12bba0bf63bcb2abcb7c75d67f9528a86c3d0ac7bb72ebfed Referenced In Project/Scope: server-start:webapps cxf-rt-security-4.1.3.jar is in the transitive dependency tree of the listed items.Included by:
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-security-saml/4.1.3/ffd8c1fe3bb1c7fec7dc271171168ff86e1f6c54/cxf-rt-security-saml-4.1.3.jar MD5: d1e6b425bf13087d3ea6443762a73e69 SHA1: ffd8c1fe3bb1c7fec7dc271171168ff86e1f6c54 SHA256:dee72a10058d0618002b85c39f64832ae9fa10a4530894f4069d0f260b6909d4 Referenced In Project/Scope: server-start:webapps cxf-rt-security-saml-4.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-transports-http/4.1.3/47f921952b12c608a50f04e6c73d3ef0781fc866/cxf-rt-transports-http-4.1.3.jar MD5: 5a6661f7e727001c58303b72c1d3d213 SHA1: 47f921952b12c608a50f04e6c73d3ef0781fc866 SHA256:05cd069ffb19e33580378b53a4f03215d3a7fbd9630ab92d5564ae2220cf756c Referenced In Project/Scope: server-start:webapps cxf-rt-transports-http-4.1.3.jar is in the transitive dependency tree of the listed items.Included by:
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-ws-addr/4.1.3/7f1cf08c77ebf602bbc2218f6a5eb1984c6de9f7/cxf-rt-ws-addr-4.1.3.jar MD5: cf06486f52bdf026c5175b677c460c15 SHA1: 7f1cf08c77ebf602bbc2218f6a5eb1984c6de9f7 SHA256:d6c768e309b8cb24a2cb1f1087d502b0de41e4a21dd8db27a6361f2fe95b9592 Referenced In Project/Scope: server-start:webapps cxf-rt-ws-addr-4.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-ws-policy/4.1.3/99d23773eab4a13c7e9ed778588fcf7eeac638f6/cxf-rt-ws-policy-4.1.3.jar MD5: ba4cb0b7669225a508d68faed81b62fb SHA1: 99d23773eab4a13c7e9ed778588fcf7eeac638f6 SHA256:b5e9812d08f1c91d92c6150275f617f34c56be6eab18f0b97c2b3be3f9dae334 Referenced In Project/Scope: server-start:webapps cxf-rt-ws-policy-4.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-ws-security/4.1.3/7d8acaf3d215cc191f43d14af1eb559eb8c2bf93/cxf-rt-ws-security-4.1.3.jar MD5: 49570fd714a24458ba1f25b693bce61c SHA1: 7d8acaf3d215cc191f43d14af1eb559eb8c2bf93 SHA256:4ae344e740aa8fb005594ccbcdc190d592631da32f5c010a30116e9e8090b950 Referenced In Project/Scope: server-start:webapps cxf-rt-ws-security-4.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.cxf/cxf-rt-wsdl/4.1.3/641cea3a5acd7be473d017357a4493d7cb7cdbc4/cxf-rt-wsdl-4.1.3.jar MD5: c5a96c67da9ba4ddb412300fdad0d0d6 SHA1: 641cea3a5acd7be473d017357a4493d7cb7cdbc4 SHA256:dac11d871afea9c60b88b76f0d214f318d47ed1604cb17446d2b1da9bbaab60d Referenced In Project/Scope: server-start:webapps cxf-rt-wsdl-4.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
CWE-611 Improper Restriction of XML External Entity Reference
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.google.dagger/dagger/2.20/8898d0aea048250e29b106b95b63f046a6cae1c4/dagger-2.20.jar MD5: 64217f21b016a9b1fdc18549fefbe58f SHA1: 8898d0aea048250e29b106b95b63f046a6cae1c4 SHA256:d37a556d8d57e2428c20e222b95346512d11fcf2174d581489a69a1439b886fb Referenced In Project/Scope: server-start:runtimeClasspath dagger-2.20.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
BSD 3-clause New License: https://github.com/dom4j/dom4j/blob/master/LICENSE
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.dom4j/dom4j/2.1.3/a75914155a9f5808963170ec20653668a2ffd2fd/dom4j-2.1.3.jar MD5: 41efcf234c5a05a8c590f9b51d53ca66 SHA1: a75914155a9f5808963170ec20653668a2ffd2fd SHA256:549f3007c6290f6a901e57d1d331b4ed0e6bf7384f78bf10316ffceeca834de6 Referenced In Project/Scope: server-start:runtimeClasspath dom4j-2.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.xml.dtd-parser/dtd-parser/1.4.5/bd01768721835f13a6da58f6edea5f8c57ee7b3c/dtd-parser-1.4.5.jar MD5: b27b38e842491770c5a1953dc86468d1 SHA1: bd01768721835f13a6da58f6edea5f8c57ee7b3c SHA256:a4cd6addced42e2f870dcca1716f459da51f06f2fe49430d2d128f147c8e929d Referenced In Project/Scope: server-start:runtimeClasspath dtd-parser-1.4.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Implementierung der Bibliothek zum Zugriff auf das Deutsche Verwaltungsdiensteverzeichnis
License:
eupl1.2: https://eupl.eu/1.2/de/
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/de.dataport.dvdv2/dvdv-impl/2.13.0/d755313d4b25eab251878fb8c63f91698912b90e/dvdv-impl-2.13.0.jar MD5: ee1b85d73a37a22c8c4b20f065e0cd72 SHA1: d755313d4b25eab251878fb8c63f91698912b90e SHA256:6b29b08ce31a5710891350e3ba31cb93d68ae362a2a14d1a9c48b2c54ef0eeff Referenced In Project/Scope: server-start:runtimeClasspath dvdv-impl-2.13.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/net.i2p.crypto/eddsa/0.3.0/1901c8d4d8bffb7d79027686cfb91e704217c3e1/eddsa-0.3.0.jar MD5: ee7de3b6f19de76a06e465efc978f669 SHA1: 1901c8d4d8bffb7d79027686cfb91e704217c3e1 SHA256:4dda1120db856640dbec04140ed23242215a075fe127bdefa0dcfa29fb31267d Referenced In Project/Scope: server-start:runtimeClasspath eddsa-0.3.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Ehcache is an open-source caching library, compliant with the JSR-107 standard.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.ehcache/ehcache/3.10.8/892b8caf98d188d0bac6ff16db564cae13a6874f/ehcache-3.10.8-jakarta.jar MD5: 6767673b52b5c2157bb6b41daef38963 SHA1: 892b8caf98d188d0bac6ff16db564cae13a6874f SHA256:4530ba51c1768f680bffcc5af722f7b65a0abb3874d9f17a731c7085eb2613e7 Referenced In Project/Scope: server-start:webapps ehcache-3.10.8-jakarta.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.transconnect.connector.email/email-ews-connector/0.9.11/670db75b8c92901b32d069a7bde3cbeb5b9a73d6/email-ews-connector-0.9.11.war MD5: ba1d1a1d7a7a6664b8a0cff842b06c80 SHA1: 670db75b8c92901b32d069a7bde3cbeb5b9a73d6 SHA256:7ddeca1b397dcb0ea5579c568cb93d86c4b80bfac8264ecc260b450710402c02 Referenced In Project/Scope: server-start:webapps email-ews-connector-0.9.11.war is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server-start@unspecified
The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.
CWE-347 Improper Verification of Cryptographic Signature, CWE-287 Improper Authentication
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Contains
com.google.common.util.concurrent.internal.InternalFutureFailureAccess and
InternalFutures. Most users will never need to use this artifact. Its
classes is conceptually a part of Guava, but they're in this separate
artifact so that Android libraries can use them without pulling in all of
Guava (just as they can use ListenableFuture by depending on the
listenablefuture artifact).
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
jsoup is a Java library that simplifies working with real-world HTML and XML. It offers an easy-to-use API for URL fetching, data parsing, extraction, and manipulation using DOM API methods, CSS, and xpath selectors. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers.
Microsoft Authentication Library for Java gives you the ability to obtain tokens from Microsoft Entra (work and
school accounts, MSA) and Azure AD B2C, gaining access to Microsoft Cloud API and any other API secured by Microsoft
identities
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.google.errorprone/error_prone_annotations/2.36.0/227d4d4957ccc3dc5761bd897e3a0ee587e750a7/error_prone_annotations-2.36.0.jar MD5: 0e48e5ba2cd0a8d8d09bad849b99f6a6 SHA1: 227d4d4957ccc3dc5761bd897e3a0ee587e750a7 SHA256:77440e270b0bc9a249903c5a076c36a722c4886ca4f42675f2903a1c53ed61a5 Referenced In Project/Scope: server-start:webapps error_prone_annotations-2.36.0.jar is in the transitive dependency tree of the listed items.Included by:
Contains
com.google.common.util.concurrent.internal.InternalFutureFailureAccess and
InternalFutures. Most users will never need to use this artifact. Its
classes is conceptually a part of Guava, but they're in this separate
artifact so that Android libraries can use them without pulling in all of
Guava (just as they can use ListenableFuture by depending on the
listenablefuture artifact).
Contains
com.google.common.util.concurrent.internal.InternalFutureFailureAccess and
InternalFutures. Most users will never need to use this artifact. Its
classes are conceptually a part of Guava, but they're in this separate
artifact so that Android libraries can use them without pulling in all of
Guava (just as they can use ListenableFuture by depending on the
listenablefuture artifact).
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.google.guava/failureaccess/1.0.2/c4a06a64e650562f30b7bf9aaec1bfed43aca12b/failureaccess-1.0.2.jar MD5: 3f75955b49b6758fd6d1e1bd9bf777b3 SHA1: c4a06a64e650562f30b7bf9aaec1bfed43aca12b SHA256:8a8f81cf9b359e3f6dfa691a1e776985c061ef2f223c9b2c80753e1b458e8064 Referenced In Project/Scope: server-start:webapps failureaccess-1.0.2.jar is in the transitive dependency tree of the listed items.Included by:
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.geronimo.specs/geronimo-annotation_1.0_spec/1.1.1/47caa799389f69d297b86bf90523d431599c3796/geronimo-annotation_1.0_spec-1.1.1.jar MD5: 4bcea8aa3540b81b66de5e9893a2b5d7 SHA1: 47caa799389f69d297b86bf90523d431599c3796 SHA256:41a3705fadf44c27cc4e1045b8c4775a10b23d7fbe2e8285ad2e08d809bd6d7e Referenced In Project/Scope: server-start:runtimeClasspath geronimo-annotation_1.0_spec-1.1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.geronimo.specs/geronimo-jaxws_2.2_spec/1.2/c5ece362fcac7f92b16120399d8b0911260b3271/geronimo-jaxws_2.2_spec-1.2.jar MD5: 41c53e6e0a33ac903776e3d0a2a659fe SHA1: c5ece362fcac7f92b16120399d8b0911260b3271 SHA256:f82650e7c27e2763822cc9efc67c645f91a8328aaeb201e909c9747a985f16af Referenced In Project/Scope: server-start:runtimeClasspath geronimo-jaxws_2.2_spec-1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.geronimo.specs/geronimo-jms_1.1_spec/1.1.1/c872b46c601d8dc03633288b81269f9e42762cea/geronimo-jms_1.1_spec-1.1.1.jar MD5: d80ce71285696d36c1add1989b94f084 SHA1: c872b46c601d8dc03633288b81269f9e42762cea SHA256:18d9ff7b9066aa99cf89843f5055d2fe58b1abe4346ee9df0daf4ac18ca232d7 Referenced In Project/Scope: server-start:runtimeClasspath geronimo-jms_1.1_spec-1.1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
A Java source code formatter that follows Google Java Style.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.google.googlejavaformat/google-java-format/1.7/97cb6afc835d65682edc248e19170a8e4ecfe4c4/google-java-format-1.7.jar MD5: 983a6ef09e410ebc9113ed09a1341a52 SHA1: 97cb6afc835d65682edc248e19170a8e4ecfe4c4 SHA256:0e13edfb91fc373075790beb1dc1f36e0b7ddd11865696f928ef63e328781cc2 Referenced In Project/Scope: server-start:runtimeClasspath google-java-format-1.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.google.code.gson/gson/2.9.0/8a1167e089096758b49f9b34066ef98b2f4b37aa/gson-2.9.0.jar MD5: 53fa3e6753e90d931d62cb89580fde2f SHA1: 8a1167e089096758b49f9b34066ef98b2f4b37aa SHA256:c96d60551331a196dac54b745aa642cd078ef89b6f267146b705f2c2cbef052d Referenced In Project/Scope: server-start:runtimeClasspath gson-2.9.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.google.guava/guava/33.4.0-jre/3fcc0a259f724c7de54a6a55ea7e26d3d5c0cac/guava-33.4.0-jre.jar MD5: 5732af16367192820c7bf177e9b29512 SHA1: 03fcc0a259f724c7de54a6a55ea7e26d3d5c0cac SHA256:b918c98a7e44dbe94ebd9fe3e40cddaadb5a93e6a78eb6008b42df237241e538 Referenced In Project/Scope: server-start:webapps guava-33.4.0-jre.jar is in the transitive dependency tree of the listed items.Included by:
This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.hamcrest/hamcrest-core/1.3/42a25dc3219429f0e5d060061f71acb49bf010a0/hamcrest-core-1.3.jar MD5: 6393363b47ddcbba82321110c3e07519 SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0 SHA256:66fdef91e9739348df7a096aa384a5685f4e875584cce89386a7a47251c4d8e9 Referenced In Project/Scope: server-start:runtimeClasspath hamcrest-core-1.3.jar is in the transitive dependency tree of the listed items.Included by:
HiveMQ MQTT Client is a MQTT 5.0 and MQTT 3.1.1 compatible and feature-rich high-performance Java client library with different API flavours and backpressure support
License:
The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
Apache-2.0;description="The Apache License, Version 2.0";link="http://www.apache.org/licenses/LICENSE-2.0.txt"
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.hk2/hk2-api/3.0.6/5a5152dea2c43384f5c07985eb27140134074ecb/hk2-api-3.0.6.jar MD5: 37d753cad17273560c48b745f024cbaa SHA1: 5a5152dea2c43384f5c07985eb27140134074ecb SHA256:c049a21a9fd9316c7e291a2bc28835f70d25affb623dc1599a83b6b84ec83a4f Referenced In Project/Scope: server-start:webapps hk2-api-3.0.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.hk2/hk2-locator/3.0.6/92d5c92c9f23bea4b8681c6f8d6ba3d708619f81/hk2-locator-3.0.6.jar MD5: e976aff53fb156b02317d2b8bc40660d SHA1: 92d5c92c9f23bea4b8681c6f8d6ba3d708619f81 SHA256:e2664d21b017c3aa1518b913264602bea604edc54d356103c10afba99abd04fc Referenced In Project/Scope: server-start:webapps hk2-locator-3.0.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.hk2/hk2-utils/3.0.6/b3187d0673c0fd52de197e52c62545c34d4eda29/hk2-utils-3.0.6.jar MD5: 4f0469e8a5957c5912639f92244a9662 SHA1: b3187d0673c0fd52de197e52c62545c34d4eda29 SHA256:fc84d85a0744b576d9ec7db5845eeb998ed532a9450dd19c8c922c3ee6926206 Referenced In Project/Scope: server-start:webapps hk2-utils-3.0.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
The AWS SDK for Java - HTTP Auth AWS Event Stream module contains interfaces and implementations for AWS
specific authentication of event streams in HTTP services.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.httpcomponents.client5/httpclient5/5.3.1/56b53c8f4bcdaada801d311cf2ff8a24d6d96883/httpclient5-5.3.1.jar MD5: de1810a606b27192cbf5bbad9c25a648 SHA1: 56b53c8f4bcdaada801d311cf2ff8a24d6d96883 SHA256:08346a757c617f6ecc66af9f099260adde1f3a1351fa81cb22fc17482b31f823 Referenced In Project/Scope: server-start:webapps httpclient5-5.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.httpcomponents.client5/httpclient5-cache/5.3.1/3d3bea8e0b3dd4964225ad8abe4eed5b6ccd6db9/httpclient5-cache-5.3.1.jar MD5: ef035c64709044723191e430b7919890 SHA1: 3d3bea8e0b3dd4964225ad8abe4eed5b6ccd6db9 SHA256:bb1852942dcb40566f53bb99f11b5175fd913229ab35b9fa54a33d4644924b10 Referenced In Project/Scope: server-start:webapps httpclient5-cache-5.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore/4.4.13/853b96d3afbb7bf8cc303fe27ee96836a10c1834/httpcore-4.4.13.jar MD5: e07a248f61c52776a2366c075dcd4963 SHA1: 853b96d3afbb7bf8cc303fe27ee96836a10c1834 SHA256:e06e89d40943245fcfa39ec537cdbfce3762aecde8f9c597780d2b00c2b43424 Referenced In Project/Scope: server-start:compileClasspath httpcore-4.4.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore/4.4.16/51cf043c87253c9f58b539c9f7e44c8894223850/httpcore-4.4.16.jar MD5: 28d2cd9bf8789fd2ec774fb88436ebd1 SHA1: 51cf043c87253c9f58b539c9f7e44c8894223850 SHA256:6c9b3dd142a09dc468e23ad39aad6f75a0f2b85125104469f026e52a474e464f Referenced In Project/Scope: server-start:runtimeClasspath httpcore-4.4.16.jar is in the transitive dependency tree of the listed items.Included by:
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore-nio/4.4.12/84cd29eca842f31db02987cfedea245af020198b/httpcore-nio-4.4.12.jar MD5: 6b623c5cce9d2333cfdf220749cdab03 SHA1: 84cd29eca842f31db02987cfedea245af020198b SHA256:11448f4b5c7f13d9396a67b33aa938d05f660665e0f14fd08e25acfd3c20ae80 Referenced In Project/Scope: server-start:runtimeClasspath httpcore-nio-4.4.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.adapters/opcua-adapter@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.httpcomponents.core5/httpcore5/5.2.5/dab1e18842971a45ca8942491ce005ab86a028d7/httpcore5-5.2.5.jar MD5: 419f7b3172ebee12dd64af978feb4351 SHA1: dab1e18842971a45ca8942491ce005ab86a028d7 SHA256:9552b9e06cef3170e37046092de115c33a7cb48ee7ef0d87f1d5650dee7e1b0d Referenced In Project/Scope: server-start:webapps httpcore5-5.2.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.httpcomponents.core5/httpcore5-h2/5.2.4/2872764df7b4857549e2880dd32a6f9009166289/httpcore5-h2-5.2.4.jar MD5: d407b8144029db656ac5ba3d54ef801f SHA1: 2872764df7b4857549e2880dd32a6f9009166289 SHA256:dc1a95e73eb04db93451533d390ce02c53b301a10dc343d08c862f2934b3d30e Referenced In Project/Scope: server-start:webapps httpcore5-h2-5.2.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.istack/istack-commons-runtime/3.0.12/cbbe1a62b0cc6c85972e99d52aaee350153dc530/istack-commons-runtime-3.0.12.jar MD5: 1952bd76321f8580cfaa57e332a68287 SHA1: cbbe1a62b0cc6c85972e99d52aaee350153dc530 SHA256:27d85fc134c9271d5c79d3300fc4669668f017e72409727c428f54f2417f04cd Referenced In Project/Scope: server-start:runtimeClasspath istack-commons-runtime-3.0.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.istack/istack-commons-runtime/3.0.8/d6a97364045aa6b99bf2d3c566a3f98599c2d296/istack-commons-runtime-3.0.8.jar MD5: d8555a2f242c55d6727b4d0e82ab8446 SHA1: d6a97364045aa6b99bf2d3c566a3f98599c2d296 SHA256:4ffabb06be454a05e4398e20c77fa2b6308d4b88dfbef7ca30a76b5b7d5505ef Referenced In Project/Scope: server-start:compileClasspath istack-commons-runtime-3.0.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.istack/istack-commons-runtime/4.1.2/18ec117c85f3ba0ac65409136afa8e42bc74e739/istack-commons-runtime-4.1.2.jar MD5: 535154ef647af2a52478c4debec93659 SHA1: 18ec117c85f3ba0ac65409136afa8e42bc74e739 SHA256:7fd6792361f4dd00f8c56af4a20cecc0066deea4a8f3dec38348af23fc2296ee Referenced In Project/Scope: server-start:webapps istack-commons-runtime-4.1.2.jar is in the transitive dependency tree of the listed items.Included by:
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.istack/istack-commons-tools/3.0.12/7213eee4e9f65972968f03c9dd4df266ce42530b/istack-commons-tools-3.0.12.jar MD5: 466851283328c997fc3c9008ba71b869 SHA1: 7213eee4e9f65972968f03c9dd4df266ce42530b SHA256:88369766d2f7bf7904595d295d759ef553de47f2b9fc7d0c82a42f602ed70af0 Referenced In Project/Scope: server-start:runtimeClasspath istack-commons-tools-3.0.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
A set of annotations that provide additional information to the J2ObjC
translator to modify the result of translation.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.google.j2objc/j2objc-annotations/2.8/c85270e307e7b822f1086b93689124b89768e273/j2objc-annotations-2.8.jar MD5: c50af69b704dc91050efb98e0dff66d1 SHA1: c85270e307e7b822f1086b93689124b89768e273 SHA256:f02a95fa1a5e95edb3ed859fd0fb7df709d121a35290eff8b74dce2ab7f4d6ed Referenced In Project/Scope: server-start:compileClasspath j2objc-annotations-2.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
A set of annotations that provide additional information to the J2ObjC
translator to modify the result of translation.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.google.j2objc/j2objc-annotations/3.0.0/7399e65dd7e9ff3404f4535b2f017093bdb134c7/j2objc-annotations-3.0.0.jar MD5: f59529b29202a5baf37f491ea5ec8627 SHA1: 7399e65dd7e9ff3404f4535b2f017093bdb134c7 SHA256:88241573467ddca44ffd4d74aa04c2bbfd11bf7c17e0c342c94c9de7a70a7c64 Referenced In Project/Scope: server-start:webapps j2objc-annotations-3.0.0.jar is in the transitive dependency tree of the listed items.Included by:
Core annotations used for value types, used by Jackson data binding package.
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-annotations/2.19.2/c5381f11988ae3d424b197a26087d86067b6d7d/jackson-annotations-2.19.2.jar MD5: 99b71c4cebb9dae38ae925ac7ab0574f SHA1: 0c5381f11988ae3d424b197a26087d86067b6d7d SHA256:e516743a316dcf83c572ffc9cb6e8c5e8c134880c8c5155b02f7b34e9c5dc3cf Referenced In Project/Scope: server-start:runtimeClasspath jackson-annotations-2.19.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Core annotations used for value types, used by Jackson data binding package.
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-annotations/2.20/6a5e7291ea3f2b590a7ce400adb7b3aea4d7e12c/jackson-annotations-2.20.jar MD5: b901def3c20752817f27130e4b8d6640 SHA1: 6a5e7291ea3f2b590a7ce400adb7b3aea4d7e12c SHA256:959a2ffb2d591436f51f183c6a521fc89347912f711bf0cae008cdf045d95319 Referenced In Project/Scope: server-start:webapps jackson-annotations-2.20.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.19.0/a90640e59ea42632a8e331ff1d6b706cf306050a/jackson-core-2.19.0.jar MD5: d741d9cff5a56cb6f1307abe947fb7c1 SHA1: a90640e59ea42632a8e331ff1d6b706cf306050a SHA256:da8e859bac94874528116a25f20c68560e4287acbf27628711b8a4f96b028430 Referenced In Project/Scope: server-start:compileClasspath jackson-core-2.19.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.19.2/50f3b4bd59b9ff51a0ed493e7b5abaf5c39709bf/jackson-core-2.19.2.jar MD5: b3843578b0753a9a685eea819dea3ab7 SHA1: 50f3b4bd59b9ff51a0ed493e7b5abaf5c39709bf SHA256:aa77eaf29293a868c47372194f7c5287d77d9370b04ea25d3fffc1e4904b5880 Referenced In Project/Scope: server-start:runtimeClasspath jackson-core-2.19.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.20.1/5734323adfece72111769b0ae38a6cf803e3d178/jackson-core-2.20.1.jar MD5: 889b2c417b61c9f4f460b06957147234 SHA1: 5734323adfece72111769b0ae38a6cf803e3d178 SHA256:ffab4d957daa2796cf24cb66d0b78a7090f1bcbe17c3a4578f09affaaf137089 Referenced In Project/Scope: server-start:webapps jackson-core-2.20.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
General data-binding functionality for Jackson: works on core streaming API
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.19.2/46509399d28f57ca32c6bb4b0d4e10e8f062051e/jackson-databind-2.19.2.jar MD5: 856506e1d49091e89599a3ef34990597 SHA1: 46509399d28f57ca32c6bb4b0d4e10e8f062051e SHA256:0a1bd4e9b0d670e632d40ee8c625ad376233502f03c2f5889baea95d025b47a7 Referenced In Project/Scope: server-start:runtimeClasspath jackson-databind-2.19.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
General data-binding functionality for Jackson: works on core streaming API
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.20.1/9586a7fe0e1775de0e54237fa6a2c8455c93ac06/jackson-databind-2.20.1.jar MD5: 49d7b7226df5ed4a036e48997a03d066 SHA1: 9586a7fe0e1775de0e54237fa6a2c8455c93ac06 SHA256:34bbeb4526fff4f8565b12106bf85a6afcbae858966d489b54214ac46b2e26e8 Referenced In Project/Scope: server-start:webapps jackson-databind-2.20.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.20.1/e6da043059c9ec631a3429ded461d5d92f240c3f/jackson-dataformat-yaml-2.20.1.jar MD5: 66dc3c5f31150557109b14182ed7ed8a SHA1: e6da043059c9ec631a3429ded461d5d92f240c3f SHA256:030f1d91f7df278e86e1ba3e129fb520871ac16ce53017c735f708823be970db Referenced In Project/Scope: server-start:webapps jackson-dataformat-yaml-2.20.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.20.1/7ad06a455afc4a38412d5dab127191bdc3d90faf/jackson-datatype-jsr310-2.20.1.jar MD5: 1ebd4e254f641f0cadf0ffdc1f662fea SHA1: 7ad06a455afc4a38412d5dab127191bdc3d90faf SHA256:692be83c7e2eebb53b995c11d813c603a7d716d60c9d2d4fb9486ecb105f9291 Referenced In Project/Scope: server-start:webapps jackson-datatype-jsr310-2.20.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
Pile of code that is shared by all Jackson-based Jakarta-RS
providers.
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.jakarta.rs/jackson-jakarta-rs-base/2.20.1/af3b69315b94fc27943f064e1686232d70ab0435/jackson-jakarta-rs-base-2.20.1.jar MD5: b3f4d58e89ee7279c07191cb8b6746f1 SHA1: af3b69315b94fc27943f064e1686232d70ab0435 SHA256:9761eecd67b0c4a831f02d378f2a63d3f4ea8bdde5919c7b9b225a9326026650 Referenced In Project/Scope: server-start:webapps jackson-jakarta-rs-base-2.20.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
Functionality to handle JSON input/output for Jakarta-RS implementations
(like Jersey and RESTeasy) using standard Jackson data binding.
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.jakarta.rs/jackson-jakarta-rs-json-provider/2.20.1/41b2719b93949427d30b573c3c997459e86bfa94/jackson-jakarta-rs-json-provider-2.20.1.jar MD5: 2b7062b6587e7b3c8ded16f38dc3eff6 SHA1: 41b2719b93949427d30b573c3c997459e86bfa94 SHA256:3bc6d1af62588c504160c1155347b1b3a15288e5e3f35156eb1bed4bd940dcdd Referenced In Project/Scope: server-start:webapps jackson-jakarta-rs-json-provider-2.20.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
Pile of code that is shared by all Jackson-based JAX-RS
providers.
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.jaxrs/jackson-jaxrs-base/2.20.1/a78feea452f2c83ce5307d9835c66d55b6160f2f/jackson-jaxrs-base-2.20.1.jar MD5: 0b51c8ee8c7437553e43d4172ccbef6c SHA1: a78feea452f2c83ce5307d9835c66d55b6160f2f SHA256:d34944bd5666bd4db02882185c43551dbde0801286fe7c2c5b43a5b5dcca1d1e Referenced In Project/Scope: server-start:webapps jackson-jaxrs-base-2.20.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
Functionality to handle JSON input/output for JAX-RS implementations (like Jersey and RESTeasy) using standard Jackson data binding.
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider/2.20.1/83b9ae70d2c10458c76e1871851d477f8ca689e6/jackson-jaxrs-json-provider-2.20.1.jar MD5: f9ed39b3e5b92d54e8d1c58ba6d0d7f4 SHA1: 83b9ae70d2c10458c76e1871851d477f8ca689e6 SHA256:74ea814ca7cd6a83a1c474f7c90f4061d5034079deaee0e0e8f9477b219e8871 Referenced In Project/Scope: server-start:webapps jackson-jaxrs-json-provider-2.20.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
Support for using Jakarta XML Bind (aka JAXB 3.0) annotations as an alternative
to "native" Jackson annotations, for configuring data-binding.
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.module/jackson-module-jakarta-xmlbind-annotations/2.20.1/15e386d9151f5964dc28fd25c28660d1262b8898/jackson-module-jakarta-xmlbind-annotations-2.20.1.jar MD5: 249a6e812de8ed3f68fd72af918ef2f9 SHA1: 15e386d9151f5964dc28fd25c28660d1262b8898 SHA256:0d5710d2e38b1567edf4acc0d7b9aeb6610f57b901cec9b42548872d421619d1 Referenced In Project/Scope: server-start:webapps jackson-module-jakarta-xmlbind-annotations-2.20.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
Support for using JAXB annotations as an alternative to "native" Jackson annotations,
for configuring data-binding.
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.fasterxml.jackson.module/jackson-module-jaxb-annotations/2.20.1/6002a78c8a8cdde2f2195daac5591ee424d1d4ac/jackson-module-jaxb-annotations-2.20.1.jar MD5: a1399afede95b690d650a3a1f721f729 SHA1: 6002a78c8a8cdde2f2195daac5591ee424d1d4ac SHA256:0b4c0cf84bb9e5251d29743fc0488d5414b0ac6e20fa4ac87d0754b8d4d78a05 Referenced In Project/Scope: server-start:webapps jackson-module-jaxb-annotations-2.20.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.media/jai_imageio/1.1/ce14f7375da96d8300356f2b7cf4e89e523b22cf/jai_imageio-1.1.jar MD5: de045bb7c4367be74ce7a1e50d400a47 SHA1: ce14f7375da96d8300356f2b7cf4e89e523b22cf SHA256:600768eabd63f92e4ba503d956f540c7d3382e4e2425058e60879b9282232e40 Referenced In Project/Scope: server-start:runtimeClasspath jai_imageio-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.activation/jakarta.activation/1.2.1/8013606426a73d8ba6b568370877251e91a38b89/jakarta.activation-1.2.1.jar MD5: dc519b1f09bbaf9274ea5da358a00110 SHA1: 8013606426a73d8ba6b568370877251e91a38b89 SHA256:d84d4ba8b55cdb7fdcbb885e6939386367433f56f5ab8cfdc302a7c3587fa92b Referenced In Project/Scope: server-start:compileClasspath jakarta.activation-1.2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.activation/jakarta.activation/1.2.2/74548703f9851017ce2f556066659438019e7eb5/jakarta.activation-1.2.2.jar MD5: 0b8bee3bf29b9a015f8b992035581a7c SHA1: 74548703f9851017ce2f556066659438019e7eb5 SHA256:02156773e4ae9d048d14a56ad35d644bee9f1052a791d072df3ded3c656e6e1a Referenced In Project/Scope: server-start:runtimeClasspath jakarta.activation-1.2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/jakarta.activation/jakarta.activation-api/2.1.4/9e5c2a0d75dde71a0bedc4dbdbe47b78a5dc50f8/jakarta.activation-api-2.1.4.jar MD5: bc1602eee7bc61a0b86f14bbbb0cc794 SHA1: 9e5c2a0d75dde71a0bedc4dbdbe47b78a5dc50f8 SHA256:c9db52100ce6c8aac95cc39075f95720d2e561b11f8051b81c121ad4effd7004 Referenced In Project/Scope: server-start:webapps jakarta.activation-api-2.1.4.jar is in the transitive dependency tree of the listed items.Included by:
Jakarta Authentication defines a general low-level SPI for authentication mechanisms, which are controllers
that interact with a caller and a container's environment to obtain the caller's credentials, validate these,
and pass an authenticated identity (such as name and groups) to the container.
Jakarta Authentication consists of several profiles, with each profile telling how a specific container
(such as Jakarta Servlet) can integrate with- and adapt to this SPI.
Jakarta Interceptors defines a means of interposing on business method invocations
and specific events—such as lifecycle events and timeout events—that occur on instances
of Jakarta EE components and other managed classes.
Jakarta Messaging describes a means for Java applications to create, send,
and receive messages via loosely coupled, reliable asynchronous communication services.
License:
Eclipse Public License 2.0: https://projects.eclipse.org/license/epl-2.0
GNU General Public License, version 2 with the GNU Classpath Exception: https://projects.eclipse.org/license/secondary-gpl-2.0-cp
Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/jakarta.jws/jakarta.jws-api/2.1.0/7d283ef13e49c1422701e30639371edca788c609/jakarta.jws-api-2.1.0.jar MD5: 9e3bc505722b1e84535d7edb3d582ca1 SHA1: 7d283ef13e49c1422701e30639371edca788c609 SHA256:d4c321f47a72001977fa11d2df408db23bf5f46e954aeb2c6f1ecda4dfef8fd8 Referenced In Project/Scope: server-start:runtimeClasspath jakarta.jws-api-2.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/jakarta.mail/jakarta.mail-api/2.0.1/715ababc1fe0cf07844e4c97d0a8f27421c4c867/jakarta.mail-api-2.0.1.jar MD5: 1d95f358e919ce4472daf32b24cea284 SHA1: 715ababc1fe0cf07844e4c97d0a8f27421c4c867 SHA256:44b1f25896b1ca6d0cd27d97cdd319cf1a7a8cf24fdd7b549b7e9dfccaa0c8d4 Referenced In Project/Scope: server-start:runtimeClasspath jakarta.mail-api-2.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/jakarta.mail/jakarta.mail-api/2.1.3/a327aa5f514ba86e80d54584417d7376ed2bde0e/jakarta.mail-api-2.1.3.jar MD5: 288a687deb06b87602ce14cd03dddff4 SHA1: a327aa5f514ba86e80d54584417d7376ed2bde0e SHA256:8051b58d75f982f9a5b963b3765426e824b2a64865ef0af17205e455b98db05c Referenced In Project/Scope: server-start:webapps jakarta.mail-api-2.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/jakarta.servlet/jakarta.servlet-api/6.0.0/abecc699286e65035ebba9844c03931357a6a963/jakarta.servlet-api-6.0.0.jar MD5: 4bcb3175ed9b7aa3f038d082879ec2a8 SHA1: abecc699286e65035ebba9844c03931357a6a963 SHA256:c034eb1afb158987dbb53a5fea0cadf611c8dae8daadd59c44d9d5ab70129cef Referenced In Project/Scope: server-start:compileClasspath jakarta.servlet-api-6.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/jakarta.validation/jakarta.validation-api/3.0.2/92b6631659ba35ca09e44874d3eb936edfeee532/jakarta.validation-api-3.0.2.jar MD5: 3a1ee6efca3e41e3320599790f54c5eb SHA1: 92b6631659ba35ca09e44874d3eb936edfeee532 SHA256:291c25e6910cc6a7ebd96d4c6baebf6d7c37676c5482c2d96146e901b62c1fc9 Referenced In Project/Scope: server-start:webapps jakarta.validation-api-3.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/jakarta.xml.bind/jakarta.xml.bind-api/4.0.4/d6d2327f3817d9a33a3b6b8f2e15a96bc2e7afdc/jakarta.xml.bind-api-4.0.4.jar MD5: 6dd465a232e545193ab8ab77cc4fbdb9 SHA1: d6d2327f3817d9a33a3b6b8f2e15a96bc2e7afdc SHA256:c507ca69a8c6dd11bf4afeec9e0d412c4fa3933fffb0a84680ea5727e8472124 Referenced In Project/Scope: server-start:webapps jakarta.xml.bind-api-4.0.4.jar is in the transitive dependency tree of the listed items.Included by:
Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/jakarta.xml.ws/jakarta.xml.ws-api/2.3.3/529fe0136be92861e5a255fbc99146f1943c4332/jakarta.xml.ws-api-2.3.3.jar MD5: ce470c38b9dbdcb8e505d41d767be748 SHA1: 529fe0136be92861e5a255fbc99146f1943c4332 SHA256:c8e0ba03c47cd5e996fd5d83540caaeab69cd8d531f128318d88e15467d112c1 Referenced In Project/Scope: server-start:runtimeClasspath jakarta.xml.ws-api-2.3.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/jakarta.xml.ws/jakarta.xml.ws-api/4.0.2/331ecab874ee75b48db661a331319958cb04edec/jakarta.xml.ws-api-4.0.2.jar MD5: 9a41e8d9a62fb837d2228d47684a57da SHA1: 331ecab874ee75b48db661a331319958cb04edec SHA256:ae500d776eeb64471cd3e3bdfcd6a9e7de6d8f866be6d7e9b2f9ca606d68c203 Referenced In Project/Scope: server-start:webapps jakarta.xml.ws-api-4.0.2.jar is in the transitive dependency tree of the listed items.Included by:
Java library which enables encryption in java apps with minimum effort.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.jasypt/jasypt/1.9.3/d99ef9540f51c617f2a293b460f025d2ee563dd/jasypt-1.9.3.jar MD5: 39327c7e38782102ecdb3c9dc4e8dcd3 SHA1: 0d99ef9540f51c617f2a293b460f025d2ee563dd SHA256:f481fbb8dd8ce754bfde7552af4fcbe8c5e303d53663bb3d8ce9d4338e0e55aa Referenced In Project/Scope: server-start:webapps jasypt-1.9.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
The MIT License (MIT): https://raw.githubusercontent.com/auth0/java-jwt/master/LICENSE
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.auth0/java-jwt/3.19.4/e1f57df0730b10d2b258a5e3b4058389a54459b/java-jwt-3.19.4.jar MD5: f77b856f3d369a0017928d113646daa4 SHA1: 0e1f57df0730b10d2b258a5e3b4058389a54459b SHA256:0a3a682308d27aa710441860915d40e7c641720b5bed036bb3eaf9683458288e Referenced In Project/Scope: server-start:runtimeClasspath java-jwt-3.19.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
GNU General Public License, version 2, with the Classpath Exception: http://openjdk.java.net/legal/gplv2+ce.html
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.google.errorprone/javac-shaded/9+181-r4173-1/a399ee380b6d6b6ea53af1cfbcb086b108d1efb7/javac-shaded-9+181-r4173-1.jar MD5: a0d7563262ef985e7e17386e9cc21002 SHA1: a399ee380b6d6b6ea53af1cfbcb086b108d1efb7 SHA256:ae6f663a36bac1855076072afd650cdc0076b08f8129fbff504e73e74095a021 Referenced In Project/Scope: server-start:runtimeClasspath javac-shaded-9+181-r4173-1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.javassist/javassist/3.30.2-GA/284580b5e42dfa1b8267058566435d9e93fae7f7/javassist-3.30.2-GA.jar MD5: f5b827b8ddec0629cc7a6d7dafc45999 SHA1: 284580b5e42dfa1b8267058566435d9e93fae7f7 SHA256:eba37290994b5e4868f3af98ff113f6244a6b099385d9ad46881307d3cb01aaf Referenced In Project/Scope: server-start:webapps javassist-3.30.2-GA.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/javax.inject/javax.inject/1/6975da39a7040257bd51d21a231b76c915872d38/javax.inject-1.jar MD5: 289075e48b909e9e74e6c915b3631d2e SHA1: 6975da39a7040257bd51d21a231b76c915872d38 SHA256:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff Referenced In Project/Scope: server-start:runtimeClasspath javax.inject-1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/javax.xml.bind/jaxb-api/2.2.12/4c83805595b15acf41d71d49e3add7c0e85baaed/jaxb-api-2.2.12.jar MD5: 62229737e570051d2ace48592faf7d4e SHA1: 4c83805595b15acf41d71d49e3add7c0e85baaed SHA256:68a621ec18485f951d09ac76f43e57eee394dbe42cb8f2a4c59c93296fa9dcc6 Referenced In Project/Scope: server-start:webapps jaxb-api-2.2.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jaxb/jaxb-core/4.0.5/7b4b11ea5542eea4ad55e1080b23be436795b3/jaxb-core-4.0.5.jar MD5: ab09aef6bebd4438b0a02707881801e4 SHA1: 007b4b11ea5542eea4ad55e1080b23be436795b3 SHA256:ad3fd9bf00de3eda9859f70b6cfb011e2fe9904804e16a2665092888ece0fdca Referenced In Project/Scope: server-start:webapps jaxb-core-4.0.5.jar is in the transitive dependency tree of the listed items.Included by:
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.xml.bind/jaxb-jxc/2.3.3/f6084b9b7025d52d423c4e51db4b46a842d82170/jaxb-jxc-2.3.3.jar MD5: d7254593b9d760665ae6478b527ef028 SHA1: f6084b9b7025d52d423c4e51db4b46a842d82170 SHA256:a6e31082e268a68e9fdc4fa2352360c57708e21aeadc3264974dafd12b00aa65 Referenced In Project/Scope: server-start:runtimeClasspath jaxb-jxc-2.3.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jaxb/jaxb-runtime/2.3.2/5528bc882ea499a09d720b42af11785c4fc6be2a/jaxb-runtime-2.3.2.jar MD5: 9c3bf13a58e56c1b955bf5a365ca10b2 SHA1: 5528bc882ea499a09d720b42af11785c4fc6be2a SHA256:e6e0a1e89fb6ff786279e6a0082d5cef52dc2ebe67053d041800737652b4fd1b Referenced In Project/Scope: server-start:compileClasspath jaxb-runtime-2.3.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jaxb/jaxb-runtime/2.3.6/1e6cd0e5d9f9919c8c8824fb4d310b09a978a60e/jaxb-runtime-2.3.6.jar MD5: 29acad12b7cdd22b2a5ab66cd7439d48 SHA1: 1e6cd0e5d9f9919c8c8824fb4d310b09a978a60e SHA256:cd87d4b98a8bec1d237aed61472ef4adb6a8bb0515cbde1fd62fdd9781c16770 Referenced In Project/Scope: server-start:runtimeClasspath jaxb-runtime-2.3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jaxb/jaxb-runtime/4.0.5/ca84c2a7169b5293e232b9d00d1e4e36d4c3914a/jaxb-runtime-4.0.5.jar MD5: c7384f1f95b8a8e15291485ff9dbe4f3 SHA1: ca84c2a7169b5293e232b9d00d1e4e36d4c3914a SHA256:485d8940e76373a7f300815ea5504bf5b726c234425ad30971019d133124cca4 Referenced In Project/Scope: server-start:webapps jaxb-runtime-4.0.5.jar is in the transitive dependency tree of the listed items.Included by:
JAXB Binding Compiler. Contains source code needed for binding customization files into java sources.
In other words: the *tool* to generate java classes for the given xml representation.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jaxb/jaxb-xjc/2.3.6/f94c2776c1cb6e892e7f95598aeefd73bd505d95/jaxb-xjc-2.3.6.jar MD5: 0d6d26d1872ee086baa49054dc62a140 SHA1: f94c2776c1cb6e892e7f95598aeefd73bd505d95 SHA256:703df153dd86d2b6d058a0af8ca60f545a8299e261231f5bbf6a27539eb32c8a Referenced In Project/Scope: server-start:runtimeClasspath jaxb-xjc-2.3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.xml.ws/jaxws-tools/2.3.3/dacff515f8dacb7767857e4126b0bedece8b7d9c/jaxws-tools-2.3.3.jar MD5: 2857ca54f3e5766268b9b05eb466c91a SHA1: dacff515f8dacb7767857e4126b0bedece8b7d9c SHA256:6aa1506f7f5083ee84dafc6784e7367b038e6ea5f7c0e819c03022a90277509d Referenced In Project/Scope: server-start:runtimeClasspath jaxws-tools-2.3.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the field_type parameter passed to eval(). Attackers can influence the field_type value in a FunctionCall to achieve remote code execution.
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.jctools/jctools-core/2.1.2/8ec46a6a26e7c1c7e57e2590a043238ffc462144/jctools-core-2.1.2.jar MD5: 2489a6a01999f1397248941ab5d84071 SHA1: 8ec46a6a26e7c1c7e57e2590a043238ffc462144 SHA256:93dcfe1b4b5c2ae8109a98003e2092d04f83ace4ed0cc0b1754c895c81ddaee6 Referenced In Project/Scope: server-start:runtimeClasspath jctools-core-2.1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jersey.core/jersey-client/3.1.11/d33fa8450c53b5d4c3405e9fecdf68e8d190af64/jersey-client-3.1.11.jar MD5: e50f99ed8ed91671bc17a1454a49360e SHA1: d33fa8450c53b5d4c3405e9fecdf68e8d190af64 SHA256:9f0f532a6babb530f4c7d6fc4f452b996a97aa7c34248bf249eea8a2ce639758 Referenced In Project/Scope: server-start:webapps jersey-client-3.1.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
EPL 2.0: http://www.eclipse.org/legal/epl-2.0
The GNU General Public License (GPL), Version 2, With Classpath Exception: https://www.gnu.org/software/classpath/license.html
Apache License, 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
Public Domain: https://creativecommons.org/publicdomain/zero/1.0/
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jersey.core/jersey-common/3.1.11/58cea05a20223bc23ffd96ade81536d61a26ac3/jersey-common-3.1.11.jar MD5: 24d74457850f006727590b0e32106205 SHA1: 058cea05a20223bc23ffd96ade81536d61a26ac3 SHA256:ec516d7c2fdcfcd7eb7739eacf3cd6914e17a1595fd45826b33c8765965981b2 Referenced In Project/Scope: server-start:webapps jersey-common-3.1.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jersey.containers/jersey-container-servlet-core/3.1.11/1ed90ffac6a6cfd9a496a3a8002dc0b2037470c4/jersey-container-servlet-core-3.1.11.jar MD5: b00f1766cd2b102572f9f0aa85710106 SHA1: 1ed90ffac6a6cfd9a496a3a8002dc0b2037470c4 SHA256:4c93b928d93037d7250ab1db9b9eb5e2bd12cf9e67cd48d25dcc835249d47e40 Referenced In Project/Scope: server-start:webapps jersey-container-servlet-core-3.1.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jersey.inject/jersey-hk2/3.1.11/3f51dfcd27ed8a773eb42f0317c9a4de07328d07/jersey-hk2-3.1.11.jar MD5: 3dc15f546bdf4c45125179ee69a87399 SHA1: 3f51dfcd27ed8a773eb42f0317c9a4de07328d07 SHA256:faeee985d70b8223a9eb22baabf579d9f860141716efcaf74b0a252a63959fc3 Referenced In Project/Scope: server-start:webapps jersey-hk2-3.1.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jersey.media/jersey-media-multipart/3.1.11/bd24fc31c6d70b48b418ea97f0ddb45838e01324/jersey-media-multipart-3.1.11.jar MD5: 52048bfe5c1f1486b4c51775314f6c34 SHA1: bd24fc31c6d70b48b418ea97f0ddb45838e01324 SHA256:335d4b92e033f290cb9433d34d000c33ce0016c0be4d15a5297981cc6c5b433e Referenced In Project/Scope: server-start:webapps jersey-media-multipart-3.1.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
EPL 2.0: http://www.eclipse.org/legal/epl-2.0
The GNU General Public License (GPL), Version 2, With Classpath Exception: https://www.gnu.org/software/classpath/license.html
Apache License, 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
Modified BSD: https://asm.ow2.io/license.html
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jersey.core/jersey-server/3.1.11/b65a67a4ce399063cd88107b360d210d434f1e9a/jersey-server-3.1.11.jar MD5: dc77c1ecc1eca1253d0ba37a0e3aa9a2 SHA1: b65a67a4ce399063cd88107b360d210d434f1e9a SHA256:7dde2adf6600f3e8f723e37a8c96c31838a682f8db854fdcfcf4f00695d6f903 Referenced In Project/Scope: server-start:webapps jersey-server-3.1.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-alpn-client/12.1.8/eba832cbc0dc8da2e3a8bd3534806a2b9d321418/jetty-alpn-client-12.1.8.jar MD5: b8c3aa6be24b17b63c6c3df0dcb607ba SHA1: eba832cbc0dc8da2e3a8bd3534806a2b9d321418 SHA256:91953f4a034590e7dac4589038fe0ef7400e04cd2e1e54c0027d88ba0c545f18 Referenced In Project/Scope: server-start:runtimeClasspath jetty-alpn-client-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-alpn-client
High
Vendor
gradle
artifactid
jetty-alpn-client
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
alpn
Highest
Vendor
jar
package name
client
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.alpn.client
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-alpn-client
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Core :: ALPN :: Client
High
Vendor
pom
parent-artifactid
jetty-alpn
Low
Product
file
name
jetty-alpn-client
High
Product
gradle
artifactid
jetty-alpn-client
Highest
Product
jar
package name
alpn
Highest
Product
jar
package name
client
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
Manifest
build-jdk-spec
25
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-alpn-conscrypt-server/12.1.8/4656edd8516fff59499ed9a0a737f6c6797ab2d/jetty-alpn-conscrypt-server-12.1.8.jar MD5: 6e494ed4983e263194d696c23e8abfa9 SHA1: 04656edd8516fff59499ed9a0a737f6c6797ab2d SHA256:ec569589f68d928e85d4f4f9b6f63768b46a3141bd68b555d16288c7aadc9882 Referenced In Project/Scope: server-start:runtimeClasspath jetty-alpn-conscrypt-server-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-alpn-conscrypt-server
High
Vendor
gradle
artifactid
jetty-alpn-conscrypt-server
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
alpn
Highest
Vendor
jar
package name
conscrypt
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-alpn-java-client/12.1.8/72314c334fd32da5a75ec435d6f9cb9a12345afe/jetty-alpn-java-client-12.1.8.jar MD5: ec80cf2a8e7a514e2bc23b047a08d4f1 SHA1: 72314c334fd32da5a75ec435d6f9cb9a12345afe SHA256:781696614cd0afd684cbb2a252021bca7c85fbb68bc0c28c8a9a7c65362f4d4a Referenced In Project/Scope: server-start:runtimeClasspath jetty-alpn-java-client-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-alpn-java-client
High
Vendor
gradle
artifactid
jetty-alpn-java-client
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
alpn
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
java
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-alpn-java-server/12.1.8/c81e3a13de2c8cf0173f3841c411e0c31e9022a9/jetty-alpn-java-server-12.1.8.jar MD5: 2ae28985edf13eacec2034ee5c1deaba SHA1: c81e3a13de2c8cf0173f3841c411e0c31e9022a9 SHA256:36cf96f5e254792ff078ce56242ffc5a8cb2dcd1bafb8364f8d8db0f286004db Referenced In Project/Scope: server-start:runtimeClasspath jetty-alpn-java-server-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-alpn-java-server
High
Vendor
gradle
artifactid
jetty-alpn-java-server
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
alpn
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
java
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-alpn-server/12.1.8/19bf9257d0012161b5e1f86dd2ecef1b06dd858c/jetty-alpn-server-12.1.8.jar MD5: 083a0c6085d7c4d48d21353f2fdd2032 SHA1: 19bf9257d0012161b5e1f86dd2ecef1b06dd858c SHA256:7f35204e0837154f4348e81dcc84d15187055fccc0a922cc0c751ddb2753e8dd Referenced In Project/Scope: server-start:runtimeClasspath jetty-alpn-server-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-alpn-server
High
Vendor
gradle
artifactid
jetty-alpn-server
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
alpn
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
server
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.alpn.server;singleton:=true
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-alpn-server
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Core :: ALPN :: Server
High
Vendor
pom
parent-artifactid
jetty-alpn
Low
Product
file
name
jetty-alpn-server
High
Product
gradle
artifactid
jetty-alpn-server
Highest
Product
jar
package name
alpn
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
server
Highest
Product
Manifest
build-jdk-spec
25
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Jetty Client API and HTTP/1.1 Implementation Artifact
License:
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-client/12.1.8/82c2805f296ff253ccdd36a8fb4d9a15bb5694e/jetty-client-12.1.8.jar MD5: a5265f00eec6340aa885f22e8979d495 SHA1: 082c2805f296ff253ccdd36a8fb4d9a15bb5694e SHA256:460d4d74c95a591bf6c16be6388186427b773c0110605b3d329955f7a442122c Referenced In Project/Scope: server-start:runtimeClasspath jetty-client-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-client
High
Vendor
gradle
artifactid
jetty-client
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
client
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.client
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-client
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Core :: HTTP Client
High
Vendor
pom
parent-artifactid
jetty-core
Low
Product
file
name
jetty-client
High
Product
gradle
artifactid
jetty-client
Highest
Product
jar
package name
client
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
Manifest
build-jdk-spec
25
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty.compression/jetty-compression-common/12.1.8/a88edf9dbf4dad0deb8b799483fbc9f8f217af78/jetty-compression-common-12.1.8.jar MD5: 9c6508d9f073abf897ca775bcd8cccb0 SHA1: a88edf9dbf4dad0deb8b799483fbc9f8f217af78 SHA256:46f12d348115f310130c7df6e736017c6e7dc032f19b96a0dc2658f56ec43bf1 Referenced In Project/Scope: server-start:runtimeClasspath jetty-compression-common-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-compression-common
High
Vendor
gradle
artifactid
jetty-compression-common
Highest
Vendor
gradle
groupid
org.eclipse.jetty.compression
Highest
Vendor
jar
package name
compression
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.compression.common
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-compression-common
Low
Vendor
pom
groupid
org.eclipse.jetty.compression
Highest
Vendor
pom
name
Core :: Compression :: Common
High
Vendor
pom
parent-artifactid
jetty-compression
Low
Product
file
name
jetty-compression-common
High
Product
gradle
artifactid
jetty-compression-common
Highest
Product
jar
package name
compression
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
Manifest
build-jdk-spec
25
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty.compression/jetty-compression-gzip/12.1.8/cb44ba5d5a05383e8fa612bf265aa86b238e0893/jetty-compression-gzip-12.1.8.jar MD5: 9680c74c689de5bfd88f3a50d11636d7 SHA1: cb44ba5d5a05383e8fa612bf265aa86b238e0893 SHA256:482455c2e4b243913354dfd52cf2a68becfb9a7479c1deb385019f97925f0ae0 Referenced In Project/Scope: server-start:runtimeClasspath jetty-compression-gzip-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-compression-gzip
High
Vendor
gradle
artifactid
jetty-compression-gzip
Highest
Vendor
gradle
groupid
org.eclipse.jetty.compression
Highest
Vendor
jar
package name
compression
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
gzip
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-deploy/12.1.8/d37ec3197448ee0cf4895f90ba08530f4441f4e6/jetty-deploy-12.1.8.jar MD5: 36168f0a2ff0a4857c2953dfa50fb3be SHA1: d37ec3197448ee0cf4895f90ba08530f4441f4e6 SHA256:46e91f87ad0f45db660136f761f65770beb9a7bda626fc01409ff507c15692cc Referenced In Project/Scope: server-start:runtimeClasspath jetty-deploy-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-deploy
High
Vendor
gradle
artifactid
jetty-deploy
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
deploy
Highest
Vendor
jar
package name
deployer
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.deploy
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-deploy
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Core :: Deployer
High
Vendor
pom
parent-artifactid
jetty-core
Low
Product
file
name
jetty-deploy
High
Product
gradle
artifactid
jetty-deploy
Highest
Product
jar
package name
deploy
Highest
Product
jar
package name
deployer
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
Manifest
build-jdk-spec
25
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty.ee10/jetty-ee10-jaspi/12.1.8/e5ead55ba9f0839752b3fb327a4ca1491fa3bf5b/jetty-ee10-jaspi-12.1.8.jar MD5: 5b658762ebf6527288f9043f5bc1a721 SHA1: e5ead55ba9f0839752b3fb327a4ca1491fa3bf5b SHA256:2c83aa62934a8a82399a04162a57a1338641cac37fb800f9017a8d0d609fc5d2 Referenced In Project/Scope: server-start:runtimeClasspath jetty-ee10-jaspi-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-ee10-jaspi
High
Vendor
gradle
artifactid
jetty-ee10-jaspi
Highest
Vendor
gradle
groupid
org.eclipse.jetty.ee10
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
ee10
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
security
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty.ee10/jetty-ee10-quickstart/12.1.8/bfac0da71f59b7fffc50a0f6665e7583e384bf1/jetty-ee10-quickstart-12.1.8.jar MD5: 8fb590b8c61193f1c1d230c8865f81d1 SHA1: 0bfac0da71f59b7fffc50a0f6665e7583e384bf1 SHA256:532fc7d63d63dfde13b5f629ca6a8a9b7dd132a078c06e3f06da82aff4fe27cd Referenced In Project/Scope: server-start:runtimeClasspath jetty-ee10-quickstart-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-ee10-quickstart
High
Vendor
gradle
artifactid
jetty-ee10-quickstart
Highest
Vendor
gradle
groupid
org.eclipse.jetty.ee10
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
ee10
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
quickstart
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty.http2/jetty-http2-common/12.1.8/7bb96d3c2b28946660cc3097ca391d8eca181363/jetty-http2-common-12.1.8.jar MD5: c18d8f0747df78b4126586d106c9421e SHA1: 7bb96d3c2b28946660cc3097ca391d8eca181363 SHA256:fba638a53abd3985d0cb568ed35170cb708dbdda364aa6c087a4e54a4ad850cb Referenced In Project/Scope: server-start:runtimeClasspath jetty-http2-common-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-http2-common
High
Vendor
gradle
artifactid
jetty-http2-common
Highest
Vendor
gradle
groupid
org.eclipse.jetty.http2
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
http2
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.http2.common
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-http2-common
Low
Vendor
pom
groupid
org.eclipse.jetty.http2
Highest
Vendor
pom
name
Core :: HTTP2 :: Common
High
Vendor
pom
parent-artifactid
jetty-http2
Low
Product
file
name
jetty-http2-common
High
Product
gradle
artifactid
jetty-http2-common
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
http2
Highest
Product
jar
package name
jetty
Highest
Product
Manifest
build-jdk-spec
25
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty.http2/jetty-http2-hpack/12.1.8/4239e1a8d00dd1fa6afe29c7623e531b7490516/jetty-http2-hpack-12.1.8.jar MD5: de508b8a4f3c62468208283ebdf14020 SHA1: 04239e1a8d00dd1fa6afe29c7623e531b7490516 SHA256:7eb7fc3d1420fcc8c04df7cdd8e35f6e96a927f5a4cc455734d108af7079a898 Referenced In Project/Scope: server-start:runtimeClasspath jetty-http2-hpack-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-http2-hpack
High
Vendor
gradle
artifactid
jetty-http2-hpack
Highest
Vendor
gradle
groupid
org.eclipse.jetty.http2
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
hpack
Highest
Vendor
jar
package name
http2
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty.http2/jetty-http2-server/12.1.8/d6a3ba74c43cd2355b1ef90b1a5e06b57e77f40d/jetty-http2-server-12.1.8.jar MD5: 0a7e0eb69f48649c0439e59fd5c60dcc SHA1: d6a3ba74c43cd2355b1ef90b1a5e06b57e77f40d SHA256:e5c99e8b7dc386f6e61a661458128e0c0a6a40be29df1333715328e0f5feb284 Referenced In Project/Scope: server-start:runtimeClasspath jetty-http2-server-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-http2-server
High
Vendor
gradle
artifactid
jetty-http2-server
Highest
Vendor
gradle
groupid
org.eclipse.jetty.http2
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
http2
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
server
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.http2.server
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-http2-server
Low
Vendor
pom
groupid
org.eclipse.jetty.http2
Highest
Vendor
pom
name
Core :: HTTP2 :: Server
High
Vendor
pom
parent-artifactid
jetty-http2
Low
Product
file
name
jetty-http2-server
High
Product
gradle
artifactid
jetty-http2-server
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
http2
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
server
Highest
Product
Manifest
build-jdk-spec
25
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-jmx/12.1.8/ae31f4568f1cd7b611190e1d80057a1cc9d78031/jetty-jmx-12.1.8.jar MD5: 697660bf3d040abe690009e760666530 SHA1: ae31f4568f1cd7b611190e1d80057a1cc9d78031 SHA256:ee0bcc35da8abef43eba822afce66fa227cc6ec170a258d03f3f89df42454ab5 Referenced In Project/Scope: server-start:runtimeClasspath jetty-jmx-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-jmx
High
Vendor
gradle
artifactid
jetty-jmx
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
jmx
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.jmx
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-jmx
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Core :: JMX
High
Vendor
pom
parent-artifactid
jetty-core
Low
Product
file
name
jetty-jmx
High
Product
gradle
artifactid
jetty-jmx
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
jmx
Highest
Product
Manifest
build-jdk-spec
25
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-keystore/12.1.8/a6b8ae8badfa86eb81212fe474fadae295ae08e1/jetty-keystore-12.1.8.jar MD5: 4e026af7458941e985067d25ba5a6851 SHA1: a6b8ae8badfa86eb81212fe474fadae295ae08e1 SHA256:b7456e7781d5da1ed0b2b952680405988ebcd18976ea3c895919da2bb4ed8b96 Referenced In Project/Scope: server-start:runtimeClasspath jetty-keystore-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-keystore
High
Vendor
gradle
artifactid
jetty-keystore
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
keystore
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.keystore
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-keystore
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Core :: Test Keystore
High
Vendor
pom
parent-artifactid
jetty-core
Low
Product
file
name
jetty-keystore
High
Product
gradle
artifactid
jetty-keystore
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
keystore
Highest
Product
Manifest
build-jdk-spec
25
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Jetty module for Integrations :: Memcached :: Sessions
License:
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty.memcached/jetty-memcached-sessions/12.1.8/24f27ec44e275dc20ff27659b592c5ecc21ccdb6/jetty-memcached-sessions-12.1.8.jar MD5: 0beae16c41bdfb2054570352c9fecbb0 SHA1: 24f27ec44e275dc20ff27659b592c5ecc21ccdb6 SHA256:325958c90b9f3baf9799c16882bc3f202928d6fcf93e339a478fad06fa237963 Referenced In Project/Scope: server-start:runtimeClasspath jetty-memcached-sessions-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-memcached-sessions
High
Vendor
gradle
artifactid
jetty-memcached-sessions
Highest
Vendor
gradle
groupid
org.eclipse.jetty.memcached
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
memcached
Highest
Vendor
jar
package name
session
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.memcached.session
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-memcached-sessions
Low
Vendor
pom
groupid
org.eclipse.jetty.memcached
Highest
Vendor
pom
name
Integrations :: Memcached :: Sessions
High
Vendor
pom
parent-artifactid
jetty-memcached
Low
Product
file
name
jetty-memcached-sessions
High
Product
gradle
artifactid
jetty-memcached-sessions
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
memcached
Highest
Product
jar
package name
session
Highest
Product
Manifest
build-jdk-spec
25
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Jetty module for Integrations :: NoSQL :: Sessions
License:
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-nosql/12.1.8/88924ed8f6cddd4e970753adc0b1e132af549e15/jetty-nosql-12.1.8.jar MD5: bb7518991142d54aec5c1768c29e65f6 SHA1: 88924ed8f6cddd4e970753adc0b1e132af549e15 SHA256:e1f109ab906d30596bef6fbeb574e8a5473afb8006072ca7d4eacb9f607be1cc Referenced In Project/Scope: server-start:runtimeClasspath jetty-nosql-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-nosql
High
Vendor
gradle
artifactid
jetty-nosql
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
nosql
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.nosql
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-nosql
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Integrations :: NoSQL :: Sessions
High
Vendor
pom
parent-artifactid
jetty-integrations
Low
Product
file
name
jetty-nosql
High
Product
gradle
artifactid
jetty-nosql
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
nosql
Highest
Product
Manifest
build-jdk-spec
25
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-openid/12.1.8/bf42bbda535bb25e0293177a3589eb489e4342c5/jetty-openid-12.1.8.jar MD5: 3576fe03225d9452c71a3cebaf4a1c11 SHA1: bf42bbda535bb25e0293177a3589eb489e4342c5 SHA256:f56e0a329e531011a9d03fc7c46fe98cd8e36a15ee8c83c2f30ef25073af9c73 Referenced In Project/Scope: server-start:runtimeClasspath jetty-openid-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-openid
High
Vendor
gradle
artifactid
jetty-openid
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
openid
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-proxy/12.1.8/4c642d96e5ff15a4ee8ac016a8dd41a6b88a581e/jetty-proxy-12.1.8.jar MD5: 227f4cba5ab9b7ff42bbc0de33c80a0e SHA1: 4c642d96e5ff15a4ee8ac016a8dd41a6b88a581e SHA256:b8387449fbb959bbb7788c56c1e3cf78a7069c60529842ce6a8d7e3751fe97fb Referenced In Project/Scope: server-start:runtimeClasspath jetty-proxy-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-proxy
High
Vendor
gradle
artifactid
jetty-proxy
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
proxy
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.proxy
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-proxy
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Core :: Proxy
High
Vendor
pom
parent-artifactid
jetty-core
Low
Product
file
name
jetty-proxy
High
Product
gradle
artifactid
jetty-proxy
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
proxy
Highest
Product
Manifest
build-jdk-spec
25
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-unixdomain-server/12.1.8/d7f59488a5c07059388182e79caa014effe70cad/jetty-unixdomain-server-12.1.8.jar MD5: 3124d567341e49a637752507ae107644 SHA1: d7f59488a5c07059388182e79caa014effe70cad SHA256:8ba90a08d8db7130ca5aaf8c1a7f8fef922792f12702041cbbe63c07fee08881 Referenced In Project/Scope: server-start:runtimeClasspath jetty-unixdomain-server-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-unixdomain-server
High
Vendor
gradle
artifactid
jetty-unixdomain-server
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
server
Highest
Vendor
jar
package name
unixdomain
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.unixdomain.server
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-unixdomain-server
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Core :: Unix-Domain Sockets :: Server
High
Vendor
pom
parent-artifactid
jetty-core
Low
Product
file
name
jetty-unixdomain-server
High
Product
gradle
artifactid
jetty-unixdomain-server
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
server
Highest
Product
jar
package name
unixdomain
Highest
Product
Manifest
build-jdk-spec
25
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util-ajax/12.1.8/78ad2456d1e9f00bd44737b15052528ca3592d32/jetty-util-ajax-12.1.8.jar MD5: c5a258ab31d7651bbbd2fcd5a4738e5b SHA1: 78ad2456d1e9f00bd44737b15052528ca3592d32 SHA256:bb127d1fb397148eb63107a29a16b17d755acd2308919d3891df84d7ba3406ea Referenced In Project/Scope: server-start:runtimeClasspath jetty-util-ajax-12.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-util-ajax
High
Vendor
gradle
artifactid
jetty-util-ajax
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
ajax
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
util
Highest
Vendor
Manifest
build-jdk-spec
25
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.util.ajax
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-util-ajax
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Core :: Utilities :: JSON
High
Vendor
pom
parent-artifactid
jetty-core
Low
Product
file
name
jetty-util-ajax
High
Product
gradle
artifactid
jetty-util-ajax
Highest
Product
jar
package name
ajax
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
util
Highest
Product
Manifest
build-jdk-spec
25
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.jibx/jibx-run/1.3.3/7828a2a63cda4ee1b0da3fe05b8652e49e73697d/jibx-run-1.3.3.jar MD5: 76f763b5d103f81b49bad5ff9bc8c2ad SHA1: 7828a2a63cda4ee1b0da3fe05b8652e49e73697d SHA256:2dbe9429e10587d36dd3a2c68ffac377417995e10870ec05449e18277c2be27e Referenced In Project/Scope: server-start:runtimeClasspath jibx-run-1.3.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html
Apache License v2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/net.java.dev.jna/jna/5.3.1/6eb9d07456c56b9c2560722e90382252f0f98405/jna-5.3.1.jar MD5: df3ad04f50fb50840eeb674210200f64 SHA1: 6eb9d07456c56b9c2560722e90382252f0f98405 SHA256:01cb505c0698d0f7acf3524c7e73acb7dc424a5bae5e9c86ce44075ab32bc4ee Referenced In Project/Scope: server-start:runtimeClasspath jna-5.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Date and time library to replace JDK date handling
License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/joda-time/joda-time/2.10.5/7f1d89817cd20a32444d5ab4160f035ab9b864e7/joda-time-2.10.5.jar MD5: a64a54718846cf874324c0967f74e57e SHA1: 7f1d89817cd20a32444d5ab4160f035ab9b864e7 SHA256:4ee73e7ff8e2df0d4e3408cf1a1527a59f265dd9fb43fb9b2eb818d87f93759e Referenced In Project/Scope: server-start:runtimeClasspath joda-time-2.10.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/joda-time/joda-time/2.8/9f2785d7184b97d005a44241ccaf980f43b9ccdb/joda-time-2.8.jar MD5: 4c17df2ad20161112283dbe6475e70d2 SHA1: 9f2785d7184b97d005a44241ccaf980f43b9ccdb SHA256:55ae8d6baf406ccfec88cc444de4a452c5725859b70a076ba50a7a7b75f68ed1 Referenced In Project/Scope: server-start:compileClasspath joda-time-2.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
JSON is a light-weight, language independent, data interchange format.
See http://www.JSON.org/
The files in this package implement JSON encoders/decoders in Java.
It also includes the capability to convert between JSON and XML, HTTP
headers, Cookies, and CDL.
This is a reference implementation. There are a large number of JSON packages
in Java. Perhaps someday the Java community will standardize on one. Until
then, choose carefully.
License:
Public Domain: https://github.com/stleary/JSON-java/blob/master/LICENSE
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.json/json/20250517/d67181bbd819ccceb929b580a4e2fcb0c8b17cd8/json-20250517.jar MD5: 5a4902fae2d0d499487981f616f81567 SHA1: d67181bbd819ccceb929b580a4e2fcb0c8b17cd8 SHA256:3ea61b2a06e31edf1c91134fe9106b0ebb16628be169f3db75bc7a2b06b45796 Referenced In Project/Scope: server-start:runtimeClasspath json-20250517.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
jsoup is a Java library that simplifies working with real-world HTML and XML. It offers an easy-to-use API for URL fetching, data parsing, extraction, and manipulation using DOM API methods, CSS, and xpath selectors. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers.
jTDS is an open source 100% pure Java (type 4) JDBC 3.0 driver
for Microsoft SQL Server (6.5, 7, 2000, 2005, 2008, 2012) and Sybase ASE
(10, 11, 12, 15). jTDS is based on FreeTDS and is currently the fastest
production-ready JDBC driver for SQL Server and Sybase. jTDS is 100% JDBC
3.0 compatible, supporting forward-only and scrollable/updateable ResultSets
and implementing all the DatabaseMetaData and ResultSetMetaData methods.
License:
LGPL: http://www.gnu.org/copyleft/lesser.html
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/net.sourceforge.jtds/jtds/1.3.1/1527f2fc2f040898625370a1687d902aa0743bcc/jtds-1.3.1.jar MD5: a0fe47907babf3bdb555e0b6f9dedd24 SHA1: 1527f2fc2f040898625370a1687d902aa0743bcc SHA256:aac05ebf5504c91b29420129b02dd878a86c52f8fa6eccf9235e0bfd7a60bef1 Referenced In Project/Scope: server-start:runtimeClasspath jtds-1.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
License:
Eclipse Public License 1.0: http://www.eclipse.org/legal/epl-v10.html
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/junit/junit/4.13.2/8ac9e16d933b6fb43bc7f576336b8f4d7eb5ba12/junit-4.13.2.jar MD5: d98a9a02a99a9acd22d7653cbcc1f31f SHA1: 8ac9e16d933b6fb43bc7f576336b8f4d7eb5ba12 SHA256:8e495b634469d64fb8acfa3495a065cbacc8a0fff55ce1e31007be4c16dc57d3 Referenced In Project/Scope: server-start:runtimeClasspath junit-4.13.2.jar is in the transitive dependency tree of the listed items.Included by:
This library provides UTF-7 and Modified UTF-7 Charsets for
Java.
Sun's default Java distribution lacks support for the UTF-7
character set. Though it is not used commonly, it is still
sometimes encountered in e-mails, or applications handling
e-mail.
The package is written as java.nio.charset extension, which
means it can be used without special installation or
configuration. Just drop the jar in your classpath, and you are
ready to go.
License:
MIT license: LICENSE.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.beetstra.jutf7/jutf7/1.0.0/5308ab88a1049e8d75fe3d6c0a9e7b1305dd0520/jutf7-1.0.0.jar MD5: 1da83d93039fdaef13aa7a1b9e99cb6c SHA1: 5308ab88a1049e8d75fe3d6c0a9e7b1305dd0520 SHA256:f8b2ed901526e9dd9bcd15ce0f5d312de0efda7c63fbe918672d080236dc04bc Referenced In Project/Scope: server-start:runtimeClasspath jutf7-1.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.keycloak/keycloak-common/22.0.4/d32da9502b4be5c3fd32060684d38988e604875d/keycloak-common-22.0.4.jar MD5: 432b50944f0f1d3ef3acb02153356d5d SHA1: d32da9502b4be5c3fd32060684d38988e604875d SHA256:2172bfb3e9ca8e904e152f85565182d8a8b174f2502c1946073158868290b72d Referenced In Project/Scope: server-start:runtimeClasspath keycloak-common-22.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.keycloak/keycloak-core/22.0.4/1d3ed2799b4d5424d91666370c7c714f078111b7/keycloak-core-22.0.4.jar MD5: 2714092aa9440a2832b099a1e2524da2 SHA1: 1d3ed2799b4d5424d91666370c7c714f078111b7 SHA256:4509d750eab7ba70f7b0304d1a712056ca0a5f8b2acc5d7f8698e4e33d4d0af5 Referenced In Project/Scope: server-start:runtimeClasspath keycloak-core-22.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.
Two groups of users are affected:
* Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.
* Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.
Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.
Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.
The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element.
Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.
A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:
* An SMTP, Socket, or Syslog appender is in use.
* TLS is configured via a nested <Ssl> element.
* The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured.
This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default.
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
CWE-295 Improper Certificate Validation, CWE-297 Improper Validation of Certificate with Host Mismatch
The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.
Two groups of users are affected:
* Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.
* Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.
Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.
Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters.
The impact depends on the StAX implementation in use:
* JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.
* Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true.
This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:
* The attacker is able to intercept or redirect network traffic between the client and the log receiver.
* The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).
Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.
As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.
CWE-295 Improper Certificate Validation, CWE-297 Improper Validation of Certificate with Host Mismatch
The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element.
Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.
A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:
* An SMTP, Socket, or Syslog appender is in use.
* TLS is configured via a nested <Ssl> element.
* The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured.
This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default.
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
CWE-295 Improper Certificate Validation, CWE-297 Improper Validation of Certificate with Host Mismatch
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.transconnect.connector/mcp-connector/0.0.1-main-SNAPSHOT/a0fbaf94268ce25f9e4ac7a3f63a71ad60cb58e1/mcp-connector-0.0.1-main-SNAPSHOT-classes.jar MD5: 29986d1d7e78f8fc17798b441767f375 SHA1: a0fbaf94268ce25f9e4ac7a3f63a71ad60cb58e1 SHA256:44e364da31560489deb925da79e8debc6a5e0d623a6357be4b648af6126609d3 Referenced In Project/Scope: server-start:compileClasspath mcp-connector-0.0.1-main-SNAPSHOT-classes.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server-start@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.transconnect.connector/mcp-connector/0.0.1-main-SNAPSHOT/98f97fac1c708d6e1457b329a2aede959a140f6c/mcp-connector-0.0.1-main-SNAPSHOT.war MD5: 09199b3d9ebe570592d8ac253eca9986 SHA1: 98f97fac1c708d6e1457b329a2aede959a140f6c SHA256:584dede15188e2073bcb6b7852574d7a2e8fadb3f88d284bb5995efd9d88d832 Referenced In Project/Scope: server-start:webapps mcp-connector-0.0.1-main-SNAPSHOT.war is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server-start@unspecified
Contains
com.google.common.util.concurrent.internal.InternalFutureFailureAccess and
InternalFutures. Most users will never need to use this artifact. Its
classes are conceptually a part of Guava, but they're in this separate
artifact so that Android libraries can use them without pulling in all of
Guava (just as they can use ListenableFuture by depending on the
listenablefuture artifact).
An empty artifact that Guava depends on to signal that it is providing
ListenableFuture -- but is also available in a second "version" that
contains com.google.common.util.concurrent.ListenableFuture class, without
any other Guava classes. The idea is:
- If users want only ListenableFuture, they depend on listenablefuture-1.0.
- If users want all of Guava, they depend on guava, which, as of Guava
27.0, depends on
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava. The 9999.0-...
version number is enough for some build systems (notably, Gradle) to select
that empty artifact over the "real" listenablefuture-1.0 -- avoiding a
conflict with the copy of ListenableFuture in guava itself. If users are
using an older version of Guava or a build system other than Gradle, they
may see class conflicts. If so, they can solve them by manually excluding
the listenablefuture artifact or manually forcing their build systems to
use 9999.0-....
Metrics is a Java library which gives you unparalleled insight into what your code does in
production. Metrics provides a powerful toolkit of ways to measure the behavior of critical
components in your production environment.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.dropwizard.metrics/metrics-core/4.2.26/9cd762999669e726f694a3ac8f9d8a1400cdb332/metrics-core-4.2.26.jar MD5: 5828504e260983cb9b266e3f117665fa SHA1: 9cd762999669e726f694a3ac8f9d8a1400cdb332 SHA256:9691fe898dd4fa5a4667b694e2e9f9ca6837c1e906f57627423121cf2552616e Referenced In Project/Scope: server-start:webapps metrics-core-4.2.26.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.dropwizard.metrics/metrics-json/4.2.26/1eac3853bb964647b38d7e1d7b66e515443437d6/metrics-json-4.2.26.jar MD5: b8bec5525792f024f6fc2530033f5703 SHA1: 1eac3853bb964647b38d7e1d7b66e515443437d6 SHA256:d4d7a60e081d26bf11643f49a345d2171754d2b2e77e58ce387f8d1932e57810 Referenced In Project/Scope: server-start:webapps metrics-json-4.2.26.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.brsanthu/migbase64/2.2/bcc14967d516e93c527897a6c531ba76b5751faa/migbase64-2.2.jar MD5: da3ef3a9a9fa358ed789b37a3c780727 SHA1: bcc14967d516e93c527897a6c531ba76b5751faa SHA256:07224584b6227efbb815e96e3153945786e2a6b1a934620b6130331c2351c129 Referenced In Project/Scope: server-start:webapps migbase64-2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
Provides a streaming API to access attachments parts in a MIME message.
License:
Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.jvnet.mimepull/mimepull/1.9.15/60f9a7991ad9ec1a280db8deea216a91c10aae74/mimepull-1.9.15.jar MD5: fdc35a1eae84c5a60c95d617551d4a06 SHA1: 60f9a7991ad9ec1a280db8deea216a91c10aae74 SHA256:b9f586bf8844b14a33e75fe7a4b94896dc80d80b732d128777e287af14c836fa Referenced In Project/Scope: server-start:webapps mimepull-1.9.15.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
Shared components for the Synchronous and Reactive Streams implementations of the MongoDB Java Driver.
License:
The Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.mongodb/mongodb-driver-core/5.6.4/47c5265d901367c8a6ff52fecf9008402c42e6fe/mongodb-driver-core-5.6.4.jar MD5: a65701beb53986d76326cc77fe210501 SHA1: 47c5265d901367c8a6ff52fecf9008402c42e6fe SHA256:7fc8f0b2bd7a2d090c67505ae171aa02edd7c316052a97bd5baca512a090de71 Referenced In Project/Scope: server-start:runtimeClasspath mongodb-driver-core-5.6.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
The Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.mongodb/mongodb-driver-sync/5.6.4/5d120bb2629edc77984875f6bfa3a4fe0489782e/mongodb-driver-sync-5.6.4.jar MD5: 24f87203b8df09303de66457816e8d05 SHA1: 5d120bb2629edc77984875f6bfa3a4fe0489782e SHA256:cffbfb0efe9813a42bcf88e24aa0ce3c184ce36a318fbd847dc9691e79cd911a Referenced In Project/Scope: server-start:runtimeClasspath mongodb-driver-sync-5.6.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Apache Neethi provides general framework for the programmers to use WS Policy. It is compliant with latest WS Policy specification which was published in March 2006. This framework is specifically written to enable the Apache Web services stack to use WS Policy as a way of expressing it's requirements and capabilities.
License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion.
Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.
Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition
Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden.
Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Apache Neethi provides general framework for the programmers to use WS Policy. It is compliant with latest WS Policy specification which was published in March 2006. This framework is specifically written to enable the Apache Web services stack to use WS Policy as a way of expressing it's requirements and capabilities.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.neethi/neethi/3.2.1/2d239fd19646201c6dfcc01f3d805b9158d92c94/neethi-3.2.1.jar MD5: 6d100128ec1e1417687c4fc65cf925f1 SHA1: 2d239fd19646201c6dfcc01f3d805b9158d92c94 SHA256:9aafe21e37e11bebd3bd5b55aa5e97da79eabdd2af19faf0992cf7887d8db5f0 Referenced In Project/Scope: server-start:webapps neethi-3.2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion.
Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.
Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition
Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden.
Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/software.amazon.awssdk/netty-nio-client/2.26.30/1d0671c21b5cf696213658baaf3cc4cc57393401/netty-nio-client-2.26.30.jar MD5: 6c9f3804b515cab33890926665460826 SHA1: 1d0671c21b5cf696213658baaf3cc4cc57393401 SHA256:c4e800bd4e506fc4f4a5981708483c4307c9853849e8378a18a09e1e952c4a32 Referenced In Project/Scope: server-start:runtimeClasspath netty-nio-client-2.26.30.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.netty/netty-transport-classes-epoll/4.1.126.Final/c518513a1c7bdaf67462a1062b873a04fbf2b157/netty-transport-classes-epoll-4.1.126.Final.jar MD5: 123d48e51696efa02bfdbd0c83c04ac9 SHA1: c518513a1c7bdaf67462a1062b873a04fbf2b157 SHA256:d7e0684969dad68e224e4fbf3e8e0de6b5191b25d820f8d6ae05201c70b33654 Referenced In Project/Scope: server-start:runtimeClasspath netty-transport-classes-epoll-4.1.126.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.netty/netty-transport-native-epoll/4.1.126.Final/53309e2477909db42957fac5b103b86fc709789c/netty-transport-native-epoll-4.1.126.Final-linux-x86_64.jar MD5: 90f058169bb47367be1268ec8d093acd SHA1: 53309e2477909db42957fac5b103b86fc709789c SHA256:4ea5268f375d01f494dad06ba45f47953d5c4648a16f1b89c8a04358064d3690 Referenced In Project/Scope: server-start:runtimeClasspath netty-transport-native-epoll-4.1.126.Final-linux-x86_64.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-core-api/5.1.3/a9f6ed7d41f2917da7ab3c885962b9623a2577e1/opensaml-core-api-5.1.3.jar MD5: 0f7a3f40de07544c2be6ef6e6ff65530 SHA1: a9f6ed7d41f2917da7ab3c885962b9623a2577e1 SHA256:e8c7884f1885d7b4143e6259f8ca98551ac12e5f684f8e136667ddb7b840f170 Referenced In Project/Scope: server-start:webapps opensaml-core-api-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-core-impl/5.1.3/e76e3d970d49196ccec9edfbb65bff79f1c3e45a/opensaml-core-impl-5.1.3.jar MD5: 032f97b7e0196072d5179d0cd7c6b686 SHA1: e76e3d970d49196ccec9edfbb65bff79f1c3e45a SHA256:66f4145b8db04a351aa2640a0be7f0e677aa290fe2ce9006dfdeba9db3137dc2 Referenced In Project/Scope: server-start:webapps opensaml-core-impl-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-messaging-api/5.1.3/5cf3b4e06294405c0f96b24ef0829e1b5390ca08/opensaml-messaging-api-5.1.3.jar MD5: a419196bb5f712b1e7868b9d697f764e SHA1: 5cf3b4e06294405c0f96b24ef0829e1b5390ca08 SHA256:299f17b256b1a9e121e99d6087f43bb9e5a51e3eca744a176caaad6cafbf646e Referenced In Project/Scope: server-start:webapps opensaml-messaging-api-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-profile-api/5.1.3/609b50480026ce743c22d34968a7d463e1814bc9/opensaml-profile-api-5.1.3.jar MD5: 5e931a70684ec7853b0f0c0a11a6f676 SHA1: 609b50480026ce743c22d34968a7d463e1814bc9 SHA256:cf2e14a088d985296aa0d1d4cd28f2f7146883af6e525b6fb4758e7f93836f28 Referenced In Project/Scope: server-start:webapps opensaml-profile-api-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-saml-api/5.1.3/2f78adf32794b73a6180098d5606a71976c81927/opensaml-saml-api-5.1.3.jar MD5: 401e2183db1f68336bee6980f21564d7 SHA1: 2f78adf32794b73a6180098d5606a71976c81927 SHA256:06f41f275c70ac3f18ceb27835a679fa6dd75794b721edd581a999601366d39c Referenced In Project/Scope: server-start:webapps opensaml-saml-api-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-saml-impl/5.1.3/c15a7246ba516cd1850b97df949900e79251cdc3/opensaml-saml-impl-5.1.3.jar MD5: c9d4a20fadf612f85c8ef431b9f83023 SHA1: c15a7246ba516cd1850b97df949900e79251cdc3 SHA256:fcb6fb1624d9dd6bb8215115908b598ece23f96359002ffb29d3318d4b260cfa Referenced In Project/Scope: server-start:webapps opensaml-saml-impl-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-security-api/5.1.3/939888451a4853a10c7bc65829ab4772abb34711/opensaml-security-api-5.1.3.jar MD5: a1908cd25275c258198a018e345f0726 SHA1: 939888451a4853a10c7bc65829ab4772abb34711 SHA256:5195a94d892dce73a0be12278d3e4a5fb292bb24f85757836f2d8e12be21f7a9 Referenced In Project/Scope: server-start:webapps opensaml-security-api-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-security-impl/5.1.3/1d56490eb9777cbaf7a7001ff16320d85596f363/opensaml-security-impl-5.1.3.jar MD5: 63485e3c2fc1b0403bb3be6f2e138512 SHA1: 1d56490eb9777cbaf7a7001ff16320d85596f363 SHA256:387653fa5f7e26e9da78aa40c89fcf284c84ae7d5f06297208bbb37796a1c477 Referenced In Project/Scope: server-start:webapps opensaml-security-impl-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-soap-api/5.1.3/4c7dca7687746330c8ef7fd74c899cfd123fe458/opensaml-soap-api-5.1.3.jar MD5: 7d4da7d096dbbf1530a0405db785a86b SHA1: 4c7dca7687746330c8ef7fd74c899cfd123fe458 SHA256:eb7a5193cc3191bc90894aa60df7ceb938ea6fcc39365abc876f40d6a0aaddf7 Referenced In Project/Scope: server-start:webapps opensaml-soap-api-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-soap-impl/5.1.3/d49ad07da6646ebd4f1a36678a04bec0a6a3eb08/opensaml-soap-impl-5.1.3.jar MD5: 7c826197d7763353334a62908c31b3de SHA1: d49ad07da6646ebd4f1a36678a04bec0a6a3eb08 SHA256:a97553577686f0863ff55bdb8c5d79731796cedf80bdafaa26721de06b26c6d7 Referenced In Project/Scope: server-start:webapps opensaml-soap-impl-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-storage-api/5.1.3/e3de5ca194127d62bb6b8dbb1f502f24f4fd884f/opensaml-storage-api-5.1.3.jar MD5: 4a45a16512372250a513e02f0d7b4274 SHA1: e3de5ca194127d62bb6b8dbb1f502f24f4fd884f SHA256:02eb63ccd6ef4e6768249cee642f4d4c5e749af85a6bd3cb0fcd0dc2c2e709a0 Referenced In Project/Scope: server-start:webapps opensaml-storage-api-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-xacml-api/5.1.3/207a4b80f16fa424e41fbb89525f5db8f537c440/opensaml-xacml-api-5.1.3.jar MD5: d7e1dfa687f952146a43e85683fab7a3 SHA1: 207a4b80f16fa424e41fbb89525f5db8f537c440 SHA256:dddb00d9670c0c4e660a989eed513225709a4ee99caca3f0a67cbadeb7bb5714 Referenced In Project/Scope: server-start:webapps opensaml-xacml-api-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-xacml-impl/5.1.3/3f8cded3a3c24d12b150878c6fdcdb28322f506c/opensaml-xacml-impl-5.1.3.jar MD5: c17291910cf432f840ee060bc750913c SHA1: 3f8cded3a3c24d12b150878c6fdcdb28322f506c SHA256:95b6af88800ae43f2099248b289c735fe31a2a26c61d2f6d48db67c39f3fc946 Referenced In Project/Scope: server-start:webapps opensaml-xacml-impl-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-xacml-saml-api/5.1.3/847b38b9e9d2193026f63756e98b2745ab39ab32/opensaml-xacml-saml-api-5.1.3.jar MD5: 5d69f30bfb720f424084174116a5a86a SHA1: 847b38b9e9d2193026f63756e98b2745ab39ab32 SHA256:a81c15db1ba582d0e8f81e430c8d6f25938447be137a254950e4fe8e5f7a0939 Referenced In Project/Scope: server-start:webapps opensaml-xacml-saml-api-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-xacml-saml-impl/5.1.3/aa29845d6f767b9c90c6dd5216212623b7e2d058/opensaml-xacml-saml-impl-5.1.3.jar MD5: ce5c6cab683349c65d27f43c934035e4 SHA1: aa29845d6f767b9c90c6dd5216212623b7e2d058 SHA256:d3f887a00b3bab6878adc090ae29d9a17bd245601c05bbf898b4d0bdbf461276 Referenced In Project/Scope: server-start:webapps opensaml-xacml-saml-impl-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-xmlsec-api/5.1.3/34b716d65bd1df1baa3f7446c316d34d88560f3c/opensaml-xmlsec-api-5.1.3.jar MD5: b49185507918bb1e2bd692b9dda6d0f8 SHA1: 34b716d65bd1df1baa3f7446c316d34d88560f3c SHA256:dd67d633f42a09a4439af08345b1ac822dff2bb0baa8a1eccd36fa9febab48a0 Referenced In Project/Scope: server-start:webapps opensaml-xmlsec-api-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.opensaml/opensaml-xmlsec-impl/5.1.3/72687ef61ec398f0944c66073375b42829a2a81b/opensaml-xmlsec-impl-5.1.3.jar MD5: 62c7d1a210219be67a47f0c4a846dcd8 SHA1: 72687ef61ec398f0944c66073375b42829a2a81b SHA256:db9c0e506d75e1633eccfa10017540d7590bf02b4baa3b4e8521f2012cf1b149 Referenced In Project/Scope: server-start:webapps opensaml-xmlsec-impl-5.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet).
The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body).
CWE-197 Numeric Truncation Error, CWE-681 Incorrect Conversion between Numeric Types
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.jacoco/org.jacoco.ant/0.8.12/67765683a5880f9604e4a7329f5c4ff888ade13b/org.jacoco.ant-0.8.12.jar MD5: 230ad8f7c5a4cba55cbd75acf13a77eb SHA1: 67765683a5880f9604e4a7329f5c4ff888ade13b SHA256:43f81e03dd6f5190aecb88a6236b694adade484b0402447c320fc6e94d685f41 Referenced In Project/Scope: server-start:jacocoAnt org.jacoco.ant-0.8.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server-start@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.jacoco/org.jacoco.core/0.8.12/c2a45bd054bbacfe9998cbbf1a49010c62e48cbc/org.jacoco.core-0.8.12.jar MD5: b48b0f4d9cf937450de8d2f6b920dcce SHA1: c2a45bd054bbacfe9998cbbf1a49010c62e48cbc SHA256:fca26db37c0c5fbd5dc4985237eb82866df9799d5082af899475a73f91f5b035 Referenced In Project/Scope: server-start:jacocoAnt org.jacoco.core-0.8.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.jacoco/org.jacoco.ant@0.8.12
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.jacoco/org.jacoco.report/0.8.12/d3df59a453cbc44c939f74868fb6c82127290c0c/org.jacoco.report-0.8.12.jar MD5: 2dcdcd05335135386a65225161468581 SHA1: d3df59a453cbc44c939f74868fb6c82127290c0c SHA256:f9c79ad66a66a0337c57849ad1287a2ab23b9b232d35314443e5ec49e6e3d20f Referenced In Project/Scope: server-start:jacocoAnt org.jacoco.report-0.8.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.jacoco/org.jacoco.ant@0.8.12
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.hk2/osgi-resource-locator/1.0.3/de3b21279df7e755e38275137539be5e2c80dd58/osgi-resource-locator-1.0.3.jar MD5: e7e82b82118c5387ae45f7bf3892909b SHA1: de3b21279df7e755e38275137539be5e2c80dd58 SHA256:aab5d7849f7cfcda2cc7c541ba1bd365151d42276f151c825387245dfde3dd74 Referenced In Project/Scope: server-start:webapps osgi-resource-locator-1.0.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.pcap4j/pcap4j-core/1.8.2/41ea7a197f1ddd2dc4a267276f900187e6642c61/pcap4j-core-1.8.2.jar MD5: d4a4114ecf9a5e818eec76bcb66cc322 SHA1: 41ea7a197f1ddd2dc4a267276f900187e6642c61 SHA256:3153208d0212ed818705802fe44e851aec5063a4527075a66043f71c7363160a Referenced In Project/Scope: server-start:runtimeClasspath pcap4j-core-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.pcap4j/pcap4j-packetfactory-static/1.8.2/7e1ebc403dcfbb6e6f9d11e6f156285178f4cff5/pcap4j-packetfactory-static-1.8.2.jar MD5: 5712ddc3fb992dfdbdcbef274657068f SHA1: 7e1ebc403dcfbb6e6f9d11e6f156285178f4cff5 SHA256:5946006b70d5811cbef1e5808f8d51b4f22a725fecb48274b87a668d3c9b1237 Referenced In Project/Scope: server-start:runtimeClasspath pcap4j-packetfactory-static-1.8.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
This issue affects the
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.
The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because
the filename that is obtained from
PDComplexFileSpecification.getFilename() is appended to the extraction path.
Users who have copied this example into their production code should
review it to ensure that the extraction path is acceptable. The example
has been changed accordingly, now the initial path and the extraction
paths are converted into canonical paths and it is verified that
extraction path contains the initial path. The documentation has also
been adjusted.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples.
This issue affects the
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.
Users are recommended to update to version 2.0.37 or 3.0.8 once
available. Until then, they should apply the fix provided in GitHub PR
427.
The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF".
Users who have copied this example into their production code should apply the mentioned change. The example
has been changed accordingly and is available in the project repository.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.plc4x/plc4j-driver-modbus/0.13.1/a809151aac4206c9f0e3f0bc3841686188247031/plc4j-driver-modbus-0.13.1.jar MD5: 3160329cb3531551b2111f87c5439d3f SHA1: a809151aac4206c9f0e3f0bc3841686188247031 SHA256:c2396650c12339b43c22a51b69ac546542bc037945dc6d8a4a0eea9d90085c10 Referenced In Project/Scope: server-start:runtimeClasspath plc4j-driver-modbus-0.13.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.plc4x/plc4j-driver-opcua/0.13.1/c7a03d748fc9271bae53408622af2a21c18a2681/plc4j-driver-opcua-0.13.1.jar MD5: 9879f511872a6271a932ffb30bef57ba SHA1: c7a03d748fc9271bae53408622af2a21c18a2681 SHA256:7c1c1acfcac2f5a57b64e69b187eaf4ac3eb434116311563600cd21169986216 Referenced In Project/Scope: server-start:runtimeClasspath plc4j-driver-opcua-0.13.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.plc4x/plc4j-driver-s7/0.13.1/81081ab54696f78ca67138da412c381fdee816c4/plc4j-driver-s7-0.13.1.jar MD5: 3ee1ff1d84d7b52505cf4bd309eee2ef SHA1: 81081ab54696f78ca67138da412c381fdee816c4 SHA256:7be84d58e3f06666df63ed64e55821153bf663c3d4c5855d846a7617b0dcc89a Referenced In Project/Scope: server-start:runtimeClasspath plc4j-driver-s7-0.13.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.plc4x/plc4j-spi/0.13.1/265dbf39b0585e668f6d216adac6bc749112ca97/plc4j-spi-0.13.1.jar MD5: 52b382681cbd61779b762cda31712f95 SHA1: 265dbf39b0585e668f6d216adac6bc749112ca97 SHA256:6117f5cb5ec35493717ac450237f881ef60d80c62e2b4d5746e4b95108fd9481 Referenced In Project/Scope: server-start:runtimeClasspath plc4j-spi-0.13.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.plc4x/plc4j-transport-tcp/0.13.1/757c995b142279b6802d08b51ad5e4ba5b0f42be/plc4j-transport-tcp-0.13.1.jar MD5: 6ed9e9b2b86b019356e48ddfc28bc92c SHA1: 757c995b142279b6802d08b51ad5e4ba5b0f42be SHA256:bd34b79592d8f0c0d111a521917d976d2d861e1e6690d37a6971cc98df229d43 Referenced In Project/Scope: server-start:runtimeClasspath plc4j-transport-tcp-0.13.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.plc4x/plc4j-utils-pcap-shared/0.13.1/40460a6a1f4e7e49976c2e38255f025121973fa7/plc4j-utils-pcap-shared-0.13.1.jar MD5: 4234e2cc4e352985a7a3a5c8a6e5a877 SHA1: 40460a6a1f4e7e49976c2e38255f025121973fa7 SHA256:7b2c7e95618f60c61030ea86d51879ed557a301f92d7661846693eb33b4ab3db Referenced In Project/Scope: server-start:runtimeClasspath plc4j-utils-pcap-shared-0.13.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.plc4x/plc4j-utils-raw-sockets/0.13.1/9f09d3b4cff1223f4695fbf271e0bab5d5d1d994/plc4j-utils-raw-sockets-0.13.1.jar MD5: 57eb6d743db0ed70893ef7a68b7ee008 SHA1: 9f09d3b4cff1223f4695fbf271e0bab5d5d1d994 SHA256:0df7bd6b03ebcb5d019deb1a3610d46a386fc96e2807ec112bb4e9bdca9566ed Referenced In Project/Scope: server-start:runtimeClasspath plc4j-utils-raw-sockets-0.13.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
CWE-20 Improper Input Validation, CWE-770 Allocation of Resources Without Limits or Throttling
Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry.
This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file.
Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations about how to use the POI libraries securely.
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
CWE-20 Improper Input Validation, CWE-770 Allocation of Resources Without Limits or Throttling
Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry.
This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file.
Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations about how to use the POI libraries securely.
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
CWE-20 Improper Input Validation, CWE-770 Allocation of Resources Without Limits or Throttling
Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry.
This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file.
Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations about how to use the POI libraries securely.
Apache POI - Java API To Access Microsoft Format Files
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.poi/poi-scratchpad/4.1.2/1be379e91d3d3fb0cd11425451acdbfb0d2264e7/poi-scratchpad-4.1.2.jar MD5: 39953af9153a7559a37af717bd34bd8f SHA1: 1be379e91d3d3fb0cd11425451acdbfb0d2264e7 SHA256:4ad6a0579a0a216ff951a80f11c648792268189591fe86015b9d197d650424f3 Referenced In Project/Scope: server-start:runtimeClasspath poi-scratchpad-4.1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
CWE-20 Improper Input Validation, CWE-770 Allocation of Resources Without Limits or Throttling
Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry.
This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file.
Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations about how to use the POI libraries securely.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.postgresql/postgresql/42.7.11/4c21cdd1b3938f400703716d37c4e8ca4d332808/postgresql-42.7.11.jar MD5: b969f87f07d6434bd77cdc5e440da49a SHA1: 4c21cdd1b3938f400703716d37c4e8ca4d332808 SHA256:1981b31d3993c58702783c1cddf10a34e48c1f413d70ff1cb6def0a143484647 Referenced In Project/Scope: server-start:runtimeClasspath postgresql-42.7.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
postgresql
High
Vendor
gradle
artifactid
postgresql
Highest
Vendor
gradle
groupid
org.postgresql
Highest
Vendor
jar
package name
jdbc
Highest
Vendor
jar
package name
org
Highest
Vendor
jar
package name
postgresql
Highest
Vendor
jar
package name
postgresql
Low
Vendor
Manifest
automatic-module-name
org.postgresql.jdbc
Medium
Vendor
Manifest
bundle-copyright
Copyright (c) 2003-2024, PostgreSQL Global Development Group
Spongy Castle is a package-rename (org.bouncycastle.* to org.spongycastle.*) of Bouncy Castle
intended for the Android platform. Android unfortunately ships with a stripped-down version of
Bouncy Castle, which prevents easy upgrades - Spongy Castle overcomes this and provides a full,
up-to-date version of the Bouncy Castle cryptographic libs.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.madgag.spongycastle/prov/1.58.0.0/2e2c2f624ed91eb40e690e3596c98439b1b50f2a/prov-1.58.0.0.jar MD5: 52f241c3ee194e3465d07df7aa811952 SHA1: 2e2c2f624ed91eb40e690e3596c98439b1b50f2a SHA256:092fd09e7006b0814980513b013d4c2b3ffd24a49a635ab4b2d204bb51af1727 Referenced In Project/Scope: server-start:runtimeClasspath prov-1.58.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.adapters/opcua-adapter@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.xml.bind.external/relaxng-datatype/2.3.6/387d313f5ca5187a14ad7012b46016401afa04ac/relaxng-datatype-2.3.6.jar MD5: 6759ca81b245658e14338cb62ea1cab7 SHA1: 387d313f5ca5187a14ad7012b46016401afa04ac SHA256:1eac743a1be788635698af150928160540ae880acaa57ba2043cea33057976a2 Referenced In Project/Scope: server-start:runtimeClasspath relaxng-datatype-2.3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.transconnect/rest-server/1.1.0/66e6f4597e26d8744894cbbd1cefba41a0595e4d/rest-server-1.1.0.jar MD5: ef0a753db9f130726166b464e29620cd SHA1: 66e6f4597e26d8744894cbbd1cefba41a0595e4d SHA256:16eb587c8fbfe44986590d8540da8477730d508556ed46c53d54a223023061c6 Referenced In Project/Scope: server-start:webapps rest-server-1.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.squareup.retrofit2/retrofit/2.9.0/d8fdfbd5da952141a665a403348b74538efc05ff/retrofit-2.9.0.jar MD5: 890d951895e6d080185377c741526002 SHA1: d8fdfbd5da952141a665a403348b74538efc05ff SHA256:e6ea1929c46852f5bec66ab3357da383476cef4e8d1deefdbf195b79cc4d6581 Referenced In Project/Scope: server-start:runtimeClasspath retrofit-2.9.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.xml.bind.external/rngom/2.3.6/c7deab451abfb2bf648344862d6f441f8c60edb2/rngom-2.3.6.jar MD5: 6fd73f97be0d61c78d9006ed9ee677cd SHA1: c7deab451abfb2bf648344862d6f441f8c60edb2 SHA256:4a1ea44a51f4f07cde6a46255ebb4aefdb3e5db1a5553fc3401fa7d130965baf Referenced In Project/Scope: server-start:runtimeClasspath rngom-2.3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.sun.xml.messaging.saaj/saaj-impl/3.0.4/20e94bac120c14b7a0aa32c0821bab62515fd7dd/saaj-impl-3.0.4.jar MD5: 431f6e2296a8961892995aa5ff82f522 SHA1: 20e94bac120c14b7a0aa32c0821bab62515fd7dd SHA256:a5e4766febf01e384e1803bc30b658e82403d0fac6f0cfee4edfc1ad1e21a908 Referenced In Project/Scope: server-start:webapps saaj-impl-3.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.transconnect.connector/sample-connector/1.0.0/8b455f512e2b04294fab25bf4d226a025cce6c43/sample-connector-1.0.0-classes.jar MD5: 9e65e5c3fca6ce5ffbf8420bc854b423 SHA1: 8b455f512e2b04294fab25bf4d226a025cce6c43 SHA256:0413bb266f556aad6969e581e614005ac1d239971327221825dff52a6db4a01c Referenced In Project/Scope: server-start:compileClasspath sample-connector-1.0.0-classes.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server-start@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.transconnect.connector/sample-connector/1.0.0/81c18d39e081f6dcee21b342e420bd53380fb77c/sample-connector-1.0.0.war MD5: 8c39b46729e1d7515a90f6c14c8a4bf3 SHA1: 81c18d39e081f6dcee21b342e420bd53380fb77c SHA256:8de841f15cb31d72b3b988ae4471acf9d175efa6ae2cb99202ac972aabb1c2fb Referenced In Project/Scope: server-start:webapps sample-connector-1.0.0.war is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server-start@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.prosys.ua/sdk-client/5.1.0-116/47382e5aac7f18a1603a167aac633148a97b51b/sdk-client-5.1.0-116.jar MD5: 7a7ca96e590da47a1bbd4a0f322b180c SHA1: 047382e5aac7f18a1603a167aac633148a97b51b SHA256:6999dce46f800e58fe2ee172b032c119175ffd1302634f9dbb0bad516f98b925 Referenced In Project/Scope: server-start:runtimeClasspath sdk-client-5.1.0-116.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.adapters/opcua-adapter@unspecified
The AWS SDK for Java - SDK Core runtime module holds the classes that are used by the individual service
clients to interact with
Amazon Web Services. Users need to depend on aws-java-sdk artifact for accessing individual client classes.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/xalan/serializer/2.7.3/1aa6259987888f49fdbebb1aa1a88e0f54a44f6f/serializer-2.7.3.jar MD5: 21697a2d50f03bfd93ccf7636f8118d3 SHA1: 1aa6259987888f49fdbebb1aa1a88e0f54a44f6f SHA256:5f6804bacdfdb3ccc52d2538536fab8986696d61559b081054a420c653806667 Referenced In Project/Scope: server-start:runtimeClasspath serializer-2.7.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
serializer
High
Vendor
gradle
artifactid
serializer
Highest
Vendor
gradle
groupid
xalan
Highest
Vendor
jar
package name
apache
Highest
Vendor
jar
package name
apache
Low
Vendor
jar
package name
serializer
Low
Vendor
jar
package name
xml
Low
Vendor
manifest: org/apache/xml/serializer/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: org/apache/xml/serializer/utils/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
pom
artifactid
serializer
Low
Vendor
pom
groupid
xalan
Highest
Product
file
name
serializer
High
Product
gradle
artifactid
serializer
Highest
Product
jar
package name
apache
Highest
Product
jar
package name
serializer
Highest
Product
jar
package name
serializer
Low
Product
jar
package name
utils
Highest
Product
jar
package name
xml
Highest
Product
jar
package name
xml
Low
Product
manifest: org/apache/xml/serializer/
Implementation-Title
org.apache.xml.serializer
Medium
Product
manifest: org/apache/xml/serializer/
Specification-Title
XSL Transformations (XSLT), at http://www.w3.org/TR/xslt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.transconnect.connector/sharepoint-online-connector/0.9.2/a5cf640826f4b744c7b08086137c5ec258d76858/sharepoint-online-connector-0.9.2-classes.jar MD5: 6c7e0d9f692c904a63007fa80bd6750d SHA1: a5cf640826f4b744c7b08086137c5ec258d76858 SHA256:6a3645049dd282c0dae26699e84f0a8d09499e47293a3d8d6504e8d62aeebee2 Referenced In Project/Scope: server-start:compileClasspath sharepoint-online-connector-0.9.2-classes.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server-start@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.transconnect.connector/sharepoint-online-connector/0.9.2/ca9df8cf49efa3575d00ad787799256d99bf62d0/sharepoint-online-connector-0.9.2.war MD5: 8a73d3337d1445ee777b4d4446660fb6 SHA1: ca9df8cf49efa3575d00ad787799256d99bf62d0 SHA256:b2888cc100fa36b68dbe1b391c81633867e99746f6be12ccc03382f692c52828 Referenced In Project/Scope: server-start:webapps sharepoint-online-connector-0.9.2.war is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server-start@unspecified
The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.
CWE-347 Improper Verification of Cryptographic Signature, CWE-287 Improper Authentication
The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.
CWE-347 Improper Verification of Cryptographic Signature, CWE-287 Improper Authentication
The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.
CWE-347 Improper Verification of Cryptographic Signature, CWE-287 Improper Authentication
The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.
CWE-347 Improper Verification of Cryptographic Signature, CWE-287 Improper Authentication
Contains
com.google.common.util.concurrent.internal.InternalFutureFailureAccess and
InternalFutures. Most users will never need to use this artifact. Its
classes is conceptually a part of Guava, but they're in this separate
artifact so that Android libraries can use them without pulling in all of
Guava (just as they can use ListenableFuture by depending on the
listenablefuture artifact).
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
An empty artifact that Guava depends on to signal that it is providing
ListenableFuture -- but is also available in a second "version" that
contains com.google.common.util.concurrent.ListenableFuture class, without
any other Guava classes. The idea is:
- If users want only ListenableFuture, they depend on listenablefuture-1.0.
- If users want all of Guava, they depend on guava, which, as of Guava
27.0, depends on
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava. The 9999.0-...
version number is enough for some build systems (notably, Gradle) to select
that empty artifact over the "real" listenablefuture-1.0 -- avoiding a
conflict with the copy of ListenableFuture in guava itself. If users are
using an older version of Guava or a build system other than Gradle, they
may see class conflicts. If so, they can solve them by manually excluding
the listenablefuture artifact or manually forcing their build systems to
use 9999.0-....
Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission). When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients. This issue is only practically exploitable when the OpenAPI description used for generation is from an untrusted source, or a normally trusted OpenAPI description has been compromised/tampered with. Only generating from trusted, integrity-protected API descriptions significantly reduces the risk. To remediate the issue, upgrade Kiota to 1.31.1 or later and regenerate/refresh existing generated clients as a precaution. Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Microsoft Authentication Library for Java gives you the ability to obtain tokens from Azure AD v2 (work and school
accounts, MSA) and Azure AD B2C, gaining access to Microsoft Cloud API and any other API secured by Microsoft
identities
Implementation of ITokenCacheAccessAspect interface defined in Java MSAL SDK (artifactId - msal4j)
for persistence of token cache in platform specific secret storage:
* Win - file encrypted with DPAPI
* Mac - key chain
* Linux - key ring
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/net.shibboleth/shib-networking/9.1.3/6663a55af0262b09d616c574d76f39261f19ff27/shib-networking-9.1.3.jar MD5: ba109d5eaf2cb2a2f8ccf5ce5caa5f49 SHA1: 6663a55af0262b09d616c574d76f39261f19ff27 SHA256:b4364f10e40d74fcfede51836b6d5a9ed63bf9dfa5afbc8a3d2dbfbae46dc2f5 Referenced In Project/Scope: server-start:webapps shib-networking-9.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/net.shibboleth/shib-security/9.1.3/2a571af447ad89203c919f38c532b174b374a741/shib-security-9.1.3.jar MD5: 23e2360130c446a325771ddb01eb2990 SHA1: 2a571af447ad89203c919f38c532b174b374a741 SHA256:5ef94ecbe4f5773e0e16bcbe1c783026447a07f426e622e073b87a33af6db9e8 Referenced In Project/Scope: server-start:webapps shib-security-9.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/net.shibboleth/shib-support/9.1.3/67e8c6997e3d9b2163142cdcf499bceed103e961/shib-support-9.1.3.jar MD5: c16fd1575f16c25830c015fd3af87d5b SHA1: 67e8c6997e3d9b2163142cdcf499bceed103e961 SHA256:618778067103d111fdadf74637e0b9bc43ee976dde254105b34670673087afc5 Referenced In Project/Scope: server-start:webapps shib-support-9.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/net.shibboleth/shib-velocity/9.1.3/7ebc28719553529e87bf0c92cfb641b29063e0df/shib-velocity-9.1.3.jar MD5: a98141beb6d2919937b40e86b3583e5b SHA1: 7ebc28719553529e87bf0c92cfb641b29063e0df SHA256:09fbc8f9b0938099dd0d0364884650295e87c226948d3bb5fc1ae05838a8ef40 Referenced In Project/Scope: server-start:webapps shib-velocity-9.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.slf4j/slf4j-api/2.0.17/d9e58ac9c7779ba3bf8142aff6c830617a7fe60f/slf4j-api-2.0.17.jar MD5: b6480d114a23683498ac3f746f959d2f SHA1: d9e58ac9c7779ba3bf8142aff6c830617a7fe60f SHA256:7b751d952061954d5abfed7181c1f645d336091b679891591d63329c622eb832 Referenced In Project/Scope: server-start:compileClasspath slf4j-api-2.0.17.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Smack is an Open Source XMPP (Jabber) client library for instant messaging and presence. A pure Java library, it can be embedded into your applications to create anything from a full XMPP client to simple XMPP integrations such as sending notification messages.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/jivesoftware/smack/3.0.4/6c753d9ee1267d5c95f129575963e62ed49860a1/smack-3.0.4.jar MD5: e8df1da0211543e00c4fa32b2401fc74 SHA1: 6c753d9ee1267d5c95f129575963e62ed49860a1 SHA256:03ce9a149453a4799f90d4660841c5cc862b1b580df8caefb8b8fb40ab57fbb4 Referenced In Project/Scope: server-start:runtimeClasspath smack-3.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Smack is an Open Source XMPP (Jabber) client library for instant messaging and presence. A pure Java library, it can be embedded into your applications to create anything from a full XMPP client to simple XMPP integrations such as sending notification messages.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/jivesoftware/smackx/3.0.4/bd7557b72511ad3de3f8d1c8d3b336226e116622/smackx-3.0.4.jar MD5: fe04c6acdf1b4f415268e684e0c49b5d SHA1: bd7557b72511ad3de3f8d1c8d3b336226e116622 SHA256:23810a1c1e9f25b638d2d3250b943c1494d6aec3a63b74c53a3ffe8d2de12f69 Referenced In Project/Scope: server-start:runtimeClasspath smackx-3.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.yaml/snakeyaml/2.4/e0666b825b796f85521f02360e77f4c92c5a7a07/snakeyaml-2.4.jar MD5: 29410ee3a987e3bff7b847933c591972 SHA1: e0666b825b796f85521f02360e77f4c92c5a7a07 SHA256:ef779af5d29a9dde8cc70ce0341f5c6f7735e23edff9685ceaa9d35359b7bb7f Referenced In Project/Scope: server-start:webapps snakeyaml-2.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.jvnet.staxex/stax-ex/1.8.1/78011e483a21102fb4858f3e8f269a677e50aa23/stax-ex-1.8.1.jar MD5: 8fea4418fa80e957e39c174cec08053c SHA1: 78011e483a21102fb4858f3e8f269a677e50aa23 SHA256:20522549056e9e50aa35ef0b445a2e47a53d06be0b0a9467d704e2483ffb049a Referenced In Project/Scope: server-start:compileClasspath stax-ex-1.8.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.jvnet.staxex/stax-ex/2.1.0/33160568d70c01da407f8ba982bacf283d00ad4a/stax-ex-2.1.0.jar MD5: 700a50c797db31429bf0c57b5adb8b55 SHA1: 33160568d70c01da407f8ba982bacf283d00ad4a SHA256:9f786ab52392106a53491bd1ddd8bd9028c95bb280e30387b70d498a8647cf35 Referenced In Project/Scope: server-start:webapps stax-ex-2.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
Stax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
License:
The BSD 2-Clause License: http://www.opensource.org/licenses/bsd-license.php
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.swagger.core.v3/swagger-annotations-jakarta/2.2.41/bd1988adb6f1eac7df260f4268c7a37f723e632f/swagger-annotations-jakarta-2.2.41.jar MD5: 129436b461924dc0b0bbda4e79a5056a SHA1: bd1988adb6f1eac7df260f4268c7a37f723e632f SHA256:714df4b94e8956a86de9a95fae85d5d9ebcdfd0bf9d84e3634bc16b60e30a94e Referenced In Project/Scope: server-start:webapps swagger-annotations-jakarta-2.2.41.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.swagger.core.v3/swagger-core-jakarta/2.2.41/7dc6b47e28b83921fc1173525eb37f1f59b18d37/swagger-core-jakarta-2.2.41.jar MD5: afac99bac94659de90dc53d2994f53ce SHA1: 7dc6b47e28b83921fc1173525eb37f1f59b18d37 SHA256:d5319a04b4dec6dbdc359536e3be080bdcf391281dfcedafff0ba08eb02e6f03 Referenced In Project/Scope: server-start:webapps swagger-core-jakarta-2.2.41.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.swagger.core.v3/swagger-integration-jakarta/2.2.41/bd90773363d7b79b540ec962a9dfddfca386cbd1/swagger-integration-jakarta-2.2.41.jar MD5: 6103153acffae10a092e259bb34ab439 SHA1: bd90773363d7b79b540ec962a9dfddfca386cbd1 SHA256:feba9ff9e973b45c7cac755d56f9d23511a2ce0db4bbf213414d65a1557f41cf Referenced In Project/Scope: server-start:webapps swagger-integration-jakarta-2.2.41.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.swagger.core.v3/swagger-jaxrs2-jakarta/2.2.41/ca5f91ab3ec5e0dae17153f22bcb5c3b899748dc/swagger-jaxrs2-jakarta-2.2.41.jar MD5: 692611f92b9fe61f582910fe4271ab64 SHA1: ca5f91ab3ec5e0dae17153f22bcb5c3b899748dc SHA256:7b0962a3ab1ae510479a2321a677da84fc17fcdb2112643cd56586f565f088fb Referenced In Project/Scope: server-start:webapps swagger-jaxrs2-jakarta-2.2.41.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.swagger.core.v3/swagger-jaxrs2-servlet-initializer-v2-jakarta/2.2.41/fc1cc8596df68d7a74fdba44efbac6be7fdb1f9e/swagger-jaxrs2-servlet-initializer-v2-jakarta-2.2.41.jar MD5: 9b6079bc1c861306a34f9b8f3f81c3be SHA1: fc1cc8596df68d7a74fdba44efbac6be7fdb1f9e SHA256:b63592378cf63d48e0fda7b93cbb5abbb4ff5ac55efdb8afeb06d61437cdd52f Referenced In Project/Scope: server-start:webapps swagger-jaxrs2-servlet-initializer-v2-jakarta-2.2.41.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.swagger.core.v3/swagger-models-jakarta/2.2.41/3f57b30a6ca6624dd6feb2612f2f17bea1e2b3d9/swagger-models-jakarta-2.2.41.jar MD5: 110a78136896cc7752a1af8087df9cca SHA1: 3f57b30a6ca6624dd6feb2612f2f17bea1e2b3d9 SHA256:287144c3afcf7980769d2b9ee6cfbcfe429f3cb38470f578bc1fd9c5b03de97e Referenced In Project/Scope: server-start:webapps swagger-models-jakarta-2.2.41.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.webjars/swagger-ui/5.17.14/7c746d197424eb721b4e08fcaa9e85231662d81f/swagger-ui-5.17.14.jar MD5: 0000f3977f67d7c1b7ac77a36bfabcca SHA1: 7c746d197424eb721b4e08fcaa9e85231662d81f SHA256:3d16fe99be7ef7fc6fd6b9a0b6d12e3a5444735d8a2c0c6246fbc804da5103bb Referenced In Project/Scope: server-start:webapps swagger-ui-5.17.14.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/restapi@unspecified
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive sanitization with their attributes intact. Version 3.4.0 patches the issue.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-183 Permissive List of Allowed Inputs
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
DOMPurify has a logic inconsistency where FORBID_TAGS is not checked when a function-based ADD_TAGS (tagCheck) returns true. Due to short-circuit evaluation, the FORBID_TAGS check is never evaluated, allowing explicitly forbidden elements to pass through sanitization when EXTRA_ELEMENT_HANDLING.tagCheck is configured. (RETIREJS)
DOMPurify has a logic inconsistency where FORBID_TAGS is not checked when a function-based ADD_TAGS (tagCheck) returns true. Due to short-circuit evaluation, the FORBID_TAGS check is never evaluated, allowing explicitly forbidden elements to pass through sanitization when EXTRA_ELEMENT_HANDLING.tagCheck is configured.
DOMPurify is vulnerable to mutation-XSS (mXSS) when sanitized HTML is embedded into special raw-text wrapper elements such as xmp, script, iframe, noembed, noframes, or noscript before being assigned via innerHTML. Attacker-controlled sequences like </xmp> inside attribute values close the raw-text context during the second parse, causing the sanitized output to mutate into executable markup. (RETIREJS)
DOMPurify is vulnerable to mutation-XSS (mXSS) when sanitized HTML is embedded into special raw-text wrapper elements such as xmp, script, iframe, noembed, noframes, or noscript before being assigned via innerHTML. Attacker-controlled sequences like </xmp> inside attribute values close the raw-text context during the second parse, causing the sanitized output to mutate into executable markup.
DOMPurify's ADD_ATTR predicate function mechanism (via EXTRA_ELEMENT_HANDLING.attributeCheck) short-circuits URI validation when the predicate returns true. This allows unsafe protocols such as javascript: to survive sanitization in href and similar attributes, enabling DOM-based XSS when such links are activated. (RETIREJS)
DOMPurify's ADD_ATTR predicate function mechanism (via EXTRA_ELEMENT_HANDLING.attributeCheck) short-circuits URI validation when the predicate returns true. This allows unsafe protocols such as javascript: to survive sanitization in href and similar attributes, enabling DOM-based XSS when such links are activated.
When USE_PROFILES is enabled, DOMPurify rebuilds ALLOWED_ATTR as a plain array whose properties are looked up by name, making it susceptible to prototype pollution. If Array.prototype has been polluted with an event handler attribute name (e.g. onclick), DOMPurify will allow that event handler to survive sanitization, resulting in DOM-based XSS. (RETIREJS)
When USE_PROFILES is enabled, DOMPurify rebuilds ALLOWED_ATTR as a plain array whose properties are looked up by name, making it susceptible to prototype pollution. If Array.prototype has been polluted with an event handler attribute name (e.g. onclick), DOMPurify will allow that event handler to survive sanitization, resulting in DOM-based XSS.
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive sanitization with their attributes intact. Version 3.4.0 patches the issue.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-183 Permissive List of Allowed Inputs
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
DOMPurify has a logic inconsistency where FORBID_TAGS is not checked when a function-based ADD_TAGS (tagCheck) returns true. Due to short-circuit evaluation, the FORBID_TAGS check is never evaluated, allowing explicitly forbidden elements to pass through sanitization when EXTRA_ELEMENT_HANDLING.tagCheck is configured. (RETIREJS)
DOMPurify has a logic inconsistency where FORBID_TAGS is not checked when a function-based ADD_TAGS (tagCheck) returns true. Due to short-circuit evaluation, the FORBID_TAGS check is never evaluated, allowing explicitly forbidden elements to pass through sanitization when EXTRA_ELEMENT_HANDLING.tagCheck is configured.
DOMPurify is vulnerable to mutation-XSS (mXSS) when sanitized HTML is embedded into special raw-text wrapper elements such as xmp, script, iframe, noembed, noframes, or noscript before being assigned via innerHTML. Attacker-controlled sequences like </xmp> inside attribute values close the raw-text context during the second parse, causing the sanitized output to mutate into executable markup. (RETIREJS)
DOMPurify is vulnerable to mutation-XSS (mXSS) when sanitized HTML is embedded into special raw-text wrapper elements such as xmp, script, iframe, noembed, noframes, or noscript before being assigned via innerHTML. Attacker-controlled sequences like </xmp> inside attribute values close the raw-text context during the second parse, causing the sanitized output to mutate into executable markup.
DOMPurify's ADD_ATTR predicate function mechanism (via EXTRA_ELEMENT_HANDLING.attributeCheck) short-circuits URI validation when the predicate returns true. This allows unsafe protocols such as javascript: to survive sanitization in href and similar attributes, enabling DOM-based XSS when such links are activated. (RETIREJS)
DOMPurify's ADD_ATTR predicate function mechanism (via EXTRA_ELEMENT_HANDLING.attributeCheck) short-circuits URI validation when the predicate returns true. This allows unsafe protocols such as javascript: to survive sanitization in href and similar attributes, enabling DOM-based XSS when such links are activated.
When USE_PROFILES is enabled, DOMPurify rebuilds ALLOWED_ATTR as a plain array whose properties are looked up by name, making it susceptible to prototype pollution. If Array.prototype has been polluted with an event handler attribute name (e.g. onclick), DOMPurify will allow that event handler to survive sanitization, resulting in DOM-based XSS. (RETIREJS)
When USE_PROFILES is enabled, DOMPurify rebuilds ALLOWED_ATTR as a plain array whose properties are looked up by name, making it susceptible to prototype pollution. If Array.prototype has been polluted with an event handler attribute name (e.g. onclick), DOMPurify will allow that event handler to survive sanitization, resulting in DOM-based XSS.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.taglibs/taglibs-standard-impl/1.2.5/9b9783ccb2a323383e6e20e36d368f8997b71967/taglibs-standard-impl-1.2.5.jar MD5: 8e5c8db242fbef3db1acfcbb3bc8ec8b SHA1: 9b9783ccb2a323383e6e20e36d368f8997b71967 SHA256:d075cb77d94e2d115b4d90a897b57d65cc31ed8e1b95d65361da324642705728 Referenced In Project/Scope: server-start:runtimeClasspath taglibs-standard-impl-1.2.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.taglibs/taglibs-standard-spec/1.2.5/c3bb98c30f75fef1e229d1d03cf8457de22f1ba0/taglibs-standard-spec-1.2.5.jar MD5: 671c434560d04e8f06aac02a413d11e4 SHA1: c3bb98c30f75fef1e229d1d03cf8457de22f1ba0 SHA256:81a195f8acab3f072fe4d6c279b7c29575bcac49081076e3d08bbda829275189 Referenced In Project/Scope: server-start:runtimeClasspath taglibs-standard-spec-1.2.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.transconnect.frontend/transconnect-webui/4.5.1-lts-SNAPSHOT/3e9abae3b8227c68e1cf5dea60a5fb7fe87c0ed8/transconnect-webui-4.5.1-lts-SNAPSHOT.war MD5: b2c82657cfc73d552ef33c9107d314b4 SHA1: 3e9abae3b8227c68e1cf5dea60a5fb7fe87c0ed8 SHA256:30ec007cfa994545cc64be3d0acc2b7eae32ee1d7415039c7113c31e67232489 Referenced In Project/Scope: server-start:webapps transconnect-webui-4.5.1-lts-SNAPSHOT.war is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server-start@unspecified
TXW is a library that allows you to write XML documents.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jaxb/txw2/2.3.2/ce5be7da2e442c25ec14c766cb60cb802741727b/txw2-2.3.2.jar MD5: 3f278f148c5d27dc608c25cb7d093b94 SHA1: ce5be7da2e442c25ec14c766cb60cb802741727b SHA256:4a6a9f483388d461b81aa9a28c685b8b74c0597993bf1884b04eddbca95f48fe Referenced In Project/Scope: server-start:compileClasspath txw2-2.3.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
TXW is a library that allows you to write XML documents.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jaxb/txw2/2.3.6/45db7b69a8f1ec2c21eb7d4fc0ee729f53c1addc/txw2-2.3.6.jar MD5: dd02e61e4662e6461f0c21b08e721021 SHA1: 45db7b69a8f1ec2c21eb7d4fc0ee729f53c1addc SHA256:f8bc249d22ad950257c373aea80c2f16f18f5eb4d557bdb2660bf5e1f1e84776 Referenced In Project/Scope: server-start:runtimeClasspath txw2-2.3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
TXW is a library that allows you to write XML documents.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jaxb/txw2/4.0.5/f36a4ef12120a9bb06d766d6a0e54b144fd7ed98/txw2-4.0.5.jar MD5: 2f5aa7dbd5e326562cff6ce720a1485a SHA1: f36a4ef12120a9bb06d766d6a0e54b144fd7ed98 SHA256:917355bc451481f30d043b24d123110517966af34383901773882810dca480e5 Referenced In Project/Scope: server-start:webapps txw2-4.0.5.jar is in the transitive dependency tree of the listed items.Included by:
Vavr (formerly called Javaslang) is an object-functional language extension to Java 8+.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.vavr/vavr/0.10.7/855105af0b36941e0d23303a8edeec9e6655719a/vavr-0.10.7.jar MD5: 282f7a459656719db99b56813980c2e8 SHA1: 855105af0b36941e0d23303a8edeec9e6655719a SHA256:40d05a7531f7d6411d7fce5e096ed93f52e780c9cb6f699a9ced88f765288a0c Referenced In Project/Scope: server-start:runtimeClasspath vavr-0.10.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
vavr
High
Vendor
gradle
artifactid
vavr
Highest
Vendor
gradle
groupid
io.vavr
Highest
Vendor
jar
package name
io
Highest
Vendor
jar
package name
vavr
Highest
Vendor
Manifest
build-jdk-spec
21
Low
Vendor
Manifest
bundle-symbolicname
io.vavr
Medium
Vendor
Manifest
multi-release
true
Low
Vendor
pom
artifactid
vavr
Low
Vendor
pom
groupid
io.vavr
Highest
Vendor
pom
name
Vavr
High
Vendor
pom
parent-artifactid
vavr-parent
Low
Vendor
pom
url
https://vavr.io
Highest
Product
file
name
vavr
High
Product
gradle
artifactid
vavr
Highest
Product
jar
package name
io
Highest
Product
jar
package name
vavr
Highest
Product
Manifest
build-jdk-spec
21
Low
Product
Manifest
Bundle-Name
Vavr
Medium
Product
Manifest
bundle-symbolicname
io.vavr
Medium
Product
Manifest
multi-release
true
Low
Product
pom
artifactid
vavr
Highest
Product
pom
groupid
io.vavr
Highest
Product
pom
name
Vavr
High
Product
pom
parent-artifactid
vavr-parent
Medium
Product
pom
url
https://vavr.io
Medium
Version
file
version
0.10.7
High
Version
gradle
version
0.10.7
Highest
Version
Manifest
Bundle-Version
0.10.7
High
Version
pom
version
0.10.7
Highest
Identifiers
pkg:maven/io.vavr/vavr@0.10.7 (Confidence:High)
vavr-match-0.10.7.jar
Description:
Annotation for structural pattern matching
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.vavr/vavr-match/0.10.7/25d24e4d9afc565538cb505bac7285c091aced5a/vavr-match-0.10.7.jar MD5: 9fd462f9cf2de60b40d826ccdd6b3710 SHA1: 25d24e4d9afc565538cb505bac7285c091aced5a SHA256:ed86f834c0c03fa2d9ec270914a47a8a0d017573bc11fa2b5b999cbdccb18614 Referenced In Project/Scope: server-start:runtimeClasspath vavr-match-0.10.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.velocity/velocity-engine-core/2.4.1/b662837e8006d5c383bd128503ea86ef5b4d361/velocity-engine-core-2.4.1.jar MD5: 41a3757dc9d701590be703d1f2bd2462 SHA1: 0b662837e8006d5c383bd128503ea86ef5b4d361 SHA256:1c19157d1171d560088e485be97c93a7a2f7e9f56e517f0a30273c5c39df6231 Referenced In Project/Scope: server-start:webapps velocity-engine-core-2.4.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
The Woden project is a subproject of the Apache Web Services Project to develop a Java class library for reading, manipulating, creating and writing WSDL documents, initially to support WSDL 2.0 but with the longer term aim of supporting past, present and future versions of WSDL. There are two main deliverables: an API and an implementation. The Woden API consists of a set of Java interfaces. The WSDL 2.0-specific portion of the Woden API conforms to the W3C WSDL 2.0 specification. The implementation will be a high performance implementation directly usable in other Apache projects such as Axis2.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.wss4j/wss4j-bindings/4.0.0/3c5962bd8423c2ec4e0733e6cc714d9f8e36471/wss4j-bindings-4.0.0.jar MD5: eebc66a992407cb8c6262a285f149ae9 SHA1: 03c5962bd8423c2ec4e0733e6cc714d9f8e36471 SHA256:3a9bb7b5aa03b29cc794c45e211ab8458b368f7ca964fab813e1fec101c620f9 Referenced In Project/Scope: server-start:webapps wss4j-bindings-4.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.wss4j/wss4j-policy/4.0.0/1917547139082f3541f1ab489e01e0b4f6f22848/wss4j-policy-4.0.0.jar MD5: 7f1e7dda8be8cefd597602ac90dae686 SHA1: 1917547139082f3541f1ab489e01e0b4f6f22848 SHA256:57c41cb631e5f759110ca0b723cafc1dd0355164b0dc1af930323bc3638ce500 Referenced In Project/Scope: server-start:webapps wss4j-policy-4.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.wss4j/wss4j-ws-security-common/4.0.0/efe08b8adf1e2bfa2da514e012017a10f85cb47f/wss4j-ws-security-common-4.0.0.jar MD5: 2766c4057dc93a11806c0a6ce5543dca SHA1: efe08b8adf1e2bfa2da514e012017a10f85cb47f SHA256:bb1c0f112332f26add1abc1fb1bb4e368dd57fdd9132d2cfdcc2a5b151c11c2a Referenced In Project/Scope: server-start:webapps wss4j-ws-security-common-4.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.wss4j/wss4j-ws-security-dom/4.0.0/1e0d7e56b66080f9cfcdf104048d6b0dc423d12/wss4j-ws-security-dom-4.0.0.jar MD5: d682afa0a0b6ad24424ba3ec7dcc0a59 SHA1: 01e0d7e56b66080f9cfcdf104048d6b0dc423d12 SHA256:f69b9c674eebb8d71bbd6bba2d70d144b4f91243789485bdfbf4ec5e20f9a8ca Referenced In Project/Scope: server-start:webapps wss4j-ws-security-dom-4.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.wss4j/wss4j-ws-security-policy-stax/4.0.0/51aa22853ebb6eb9b44a9ff894a2603643be389c/wss4j-ws-security-policy-stax-4.0.0.jar MD5: def13f19cbcf66e91d7f6cf60d3b0889 SHA1: 51aa22853ebb6eb9b44a9ff894a2603643be389c SHA256:fb4276d0979056eeb6cd3f0d19222db9bf0ac58691c74a3ff113d68c813df291 Referenced In Project/Scope: server-start:webapps wss4j-ws-security-policy-stax-4.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.wss4j/wss4j-ws-security-stax/4.0.0/93f367e23737ee4d1e9cc767f6d20f140c4bc21e/wss4j-ws-security-stax-4.0.0.jar MD5: 1f36b3b738ffd79ad6896d1917ccd997 SHA1: 93f367e23737ee4d1e9cc767f6d20f140c4bc21e SHA256:fc0989821033a0088fd2e533d1805c8e991db906f9af51a025a8d55c7653e36b Referenced In Project/Scope: server-start:webapps wss4j-ws-security-stax-4.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
Xerces2 provides high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces continues to build upon the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
Xerces2 provides fully conforming XML Schema 1.0 and 1.1 processors. An experimental implementation of the "XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010)" is also provided for evaluation. For more information, refer to the XML Schema page.
Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.
Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/xerces/xercesImpl/2.12.2/f051f988aa2c9b4d25d05f95742ab0cc3ed789e2/xercesImpl-2.12.2.jar MD5: 40e4f2d5aacfbf51a9a1572d77a0e5e9 SHA1: f051f988aa2c9b4d25d05f95742ab0cc3ed789e2 SHA256:6fc991829af1708d15aea50c66f0beadcd2cfeb6968e0b2f55c1b0909883fe16 Referenced In Project/Scope: server-start:runtimeClasspath xercesImpl-2.12.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Extreme performance modern memcached client for java
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/com.googlecode.xmemcached/xmemcached/2.4.9/f59b0a35b9362a8ccaed6932080cd638e3a14b44/xmemcached-2.4.9.jar MD5: 2909d08ce9bf912e23717c72db7445d1 SHA1: f59b0a35b9362a8ccaed6932080cd638e3a14b44 SHA256:e33eba7fbc892e01be81d19c1bf6a420ef42ad2ad89312c5b7b87ee48f6ef94c Referenced In Project/Scope: server-start:runtimeClasspath xmemcached-2.4.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.ws.xmlschema/xmlschema-core/2.3.1/5a83fc4e79d128f38c9e32138537060678151759/xmlschema-core-2.3.1.jar MD5: 76e1deab5e6e1caa5fed31b3482cd266 SHA1: 5a83fc4e79d128f38c9e32138537060678151759 SHA256:648f7f7e5228d89069cbc54c32404209f242581bc1c1e2e74229114f081071aa Referenced In Project/Scope: server-start:webapps xmlschema-core-2.3.1.jar is in the transitive dependency tree of the listed items.Included by:
Apache XML Security for Java supports XML-Signature Syntax and Processing,
W3C Recommendation 12 February 2002, and XML Encryption Syntax and
Processing, W3C Recommendation 10 December 2002. Since version 1.4,
the library supports the standard Java API JSR-105: XML Digital Signature APIs.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.apache.santuario/xmlsec/4.0.3/34c05e3c1f13d9be69f54fafa0d31e116801c4b4/xmlsec-4.0.3.jar MD5: 275e5f01c29d3f8987c36ff254929dd5 SHA1: 34c05e3c1f13d9be69f54fafa0d31e116801c4b4 SHA256:7fe42f0b769a4e85cb6c7510f644107007453985d1f38d96390447948e71f1aa Referenced In Project/Scope: server-start:webapps xmlsec-4.0.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend.webservices/soapapi@unspecified
MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4+.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/xpp3/xpp3/1.1.3.4.O/1c165262edac1c1e4f0a67c1643c4b7476187034/xpp3-1.1.3.4.O.jar MD5: 799105b1ea95641f626806717c1ef8a0 SHA1: 1c165262edac1c1e4f0a67c1643c4b7476187034 SHA256:ebcdef45cb16eeb113032b27c8537fd98d6f46b1071b6765febd596b8cac0f1a Referenced In Project/Scope: server-start:runtimeClasspath xpp3-1.1.3.4.O.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
XML Schema Object Model (XSOM) is a Java library that allows applications to easily parse XML Schema
documents and inspect information in them. It is expected to be useful for applications that need to take XML
Schema as an input.
License:
Eclipse Distribution License - v 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.glassfish.jaxb/xsom/2.3.6/ece5034aa8e11c16a1749deb5234e77be6f25ace/xsom-2.3.6.jar MD5: de147221723225e46acca356cadc650e SHA1: ece5034aa8e11c16a1749deb5234e77be6f25ace SHA256:227e7b49a1331847da6c61c8b14307acdd969b9f75842e4b4100b22bc15a4a69 Referenced In Project/Scope: server-start:runtimeClasspath xsom-2.3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
zip4j up to v2.10.0 can throw various uncaught exceptions while parsing a specially crafted ZIP file, which could result in an application crash. This could be used to mount a denial of service attack against services that use zip4j library.
CWE-755 Improper Handling of Exceptional Conditions
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.keycloak/keycloak-common/22.0.4/d32da9502b4be5c3fd32060684d38988e604875d/keycloak-common-22.0.4.jar MD5: 432b50944f0f1d3ef3acb02153356d5d SHA1: d32da9502b4be5c3fd32060684d38988e604875d SHA256: 2172bfb3e9ca8e904e152f85565182d8a8b174f2502c1946073158868290b72d Referenced In Project/Scope: server-start:runtimeClasspath keycloak-common-22.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting "Restart login," an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session.
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
CWE-837 Improper Enforcement of a Single, Unique Action
An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks.
Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/org.keycloak/keycloak-core/22.0.4/1d3ed2799b4d5424d91666370c7c714f078111b7/keycloak-core-22.0.4.jar MD5: 2714092aa9440a2832b099a1e2524da2 SHA1: 1d3ed2799b4d5424d91666370c7c714f078111b7 SHA256: 4509d750eab7ba70f7b0304d1a712056ca0a5f8b2acc5d7f8698e4e33d4d0af5 Referenced In Project/Scope: server-start:runtimeClasspath keycloak-core-22.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting "Restart login," an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session.
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
CWE-837 Improper Enforcement of a Single, Unique Action
An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks.
Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.netty/netty-transport-classes-epoll/4.1.126.Final/c518513a1c7bdaf67462a1062b873a04fbf2b157/netty-transport-classes-epoll-4.1.126.Final.jar MD5: 123d48e51696efa02bfdbd0c83c04ac9 SHA1: c518513a1c7bdaf67462a1062b873a04fbf2b157 SHA256: d7e0684969dad68e224e4fbf3e8e0de6b5191b25d820f8d6ae05201c70b33654 Referenced In Project/Scope: server-start:runtimeClasspath netty-transport-classes-epoll-4.1.126.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
File Path: /builds/transconnect/product/server/.gradle.userhome/caches/modules-2/files-2.1/io.netty/netty-transport-native-epoll/4.1.126.Final/53309e2477909db42957fac5b103b86fc709789c/netty-transport-native-epoll-4.1.126.Final-linux-x86_64.jar MD5: 90f058169bb47367be1268ec8d093acd SHA1: 53309e2477909db42957fac5b103b86fc709789c SHA256: 4ea5268f375d01f494dad06ba45f47953d5c4648a16f1b89c8a04358064d3690 Referenced In Project/Scope: server-start:runtimeClasspath netty-transport-native-epoll-4.1.126.Final-linux-x86_64.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/TRANSCONNECT.backend/server@unspecified
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Notes: false positive, it probably matches against the Javascript vector that is affected up to version 3.3.1
However, we are not using this component.
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: azure-identity-1.18.1.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Insecure Permissions, CWE-668 Exposure of Resource to Wrong Sphere
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Insecure Permissions, CWE-668 Exposure of Resource to Wrong Sphere
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Notes: false positive, "io.projectreactor.netty.reactor-netty-core" should not match against "io.netty:netty-all"
file name: sharepoint-online-connector-0.9.0-candidate-4-5-0-SNAPSHOT.war: reactor-netty-core-1.2.10.jar
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
CWE-789 Memory Allocation with Excessive Size Value, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Insecure Permissions, CWE-668 Exposure of Resource to Wrong Sphere
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Insecure Permissions, CWE-668 Exposure of Resource to Wrong Sphere
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.
CWE-770 Allocation of Resources Without Limits or Throttling
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')