{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-29025", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-14T16:59:47.611Z", "datePublished": "2024-03-25T20:09:35.156Z", "dateUpdated": "2025-02-13T17:47:35.781Z"}, "containers": {"cna": {"title": "Netty HttpPostRequestDecoder can OOM", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v"}, {"name": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", "tags": ["x_refsource_MISC"], "url": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c"}, {"name": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", "tags": ["x_refsource_MISC"], "url": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html"}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"version": "< 4.1.108.Final", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-21T22:06:06.551Z"}, "descriptions": [{"lang": "en", "value": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final."}], "source": {"advisory": "GHSA-5jpm-x58v-624v", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "netty", "product": "netty", "cpes": ["cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "4.1.108.Final", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-19T15:54:48.153095Z", "id": "CVE-2024-29025", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T21:08:16.746Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.668Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v"}, {"name": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c"}, {"name": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", "name": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", "name": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", "name": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.668Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29025", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-19T15:54:48.153095Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*"], "vendor": "netty", "product": "netty", "versions": [{"status": "affected", "version": "0", "lessThan": "4.1.108.Final", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T15:56:50.341Z"}}], "cna": {"title": "Netty HttpPostRequestDecoder can OOM", "source": {"advisory": "GHSA-5jpm-x58v-624v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"status": "affected", "version": "< 4.1.108.Final"}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", "name": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", "name": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", "tags": ["x_refsource_MISC"]}, {"url": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", "name": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", "tags": ["x_refsource_MISC"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html"}], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-25T20:09:35.156Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29025", "state": "PUBLISHED", "dateUpdated": "2024-08-02T01:03:51.668Z", "dateReserved": "2024-03-14T16:59:47.611Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-25T20:09:35.156Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF78319A-FCF4-405B-90AE-9EDBB2AA55AB", "versionEndExcluding": "4.1.108", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final."}, {"lang": "es", "value": "Netty es un framework de aplicaci\u00f3n de red as\u00edncrono impulsado por eventos para el desarrollo r\u00e1pido de servidores y clientes de protocolo de alto rendimiento mantenibles. Se puede enga\u00f1ar al `HttpPostRequestDecoder` para que acumule datos. Si bien el decodificador puede almacenar elementos en el disco si est\u00e1 configurado as\u00ed, no hay l\u00edmites para la cantidad de campos que puede tener el formulario, un adjunto puede enviar una publicaci\u00f3n fragmentada que consta de muchos campos peque\u00f1os que se acumular\u00e1n en la lista `bodyListHttpData`. El decodificador acumula bytes en el b\u00fafer `undecodedChunk` hasta que puede decodificar un campo, este campo puede acumular datos sin l\u00edmites. Esta vulnerabilidad se soluciona en 4.1.108.Final."}], "id": "CVE-2024-29025", "lastModified": "2025-09-19T15:10:53.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-25T20:15:08.797", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit"], "url": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2088", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8:2.4.0-7", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:2088", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-operator-bundle:2.4.0-4", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:2088", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-reports-rhel8:2.4.0-4", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:2088", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-rhel8:2.4.0-4", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:2088", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-rhel8-operator:2.4.0-9", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:2088", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/jfr-datasource-rhel8:2.4.0-4", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:3550", "cpe": "cpe:/a:redhat:rhboac_hawtio:4.0.0", "package": "netty-codec-http", "product_name": "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:6657", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "netty-codec-http", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-09-12T00:00:00Z"}, {"advisory": "RHSA-2024:2945", "cpe": "cpe:/a:redhat:amq_broker:7.12", "package": "netty-codec-http", "product_name": "Red Hat AMQ Broker 7", "release_date": "2024-05-21T00:00:00Z"}, {"advisory": "RHSA-2024:3527", "cpe": "cpe:/a:redhat:amq_streams:2", "package": "netty-codec-http", "product_name": "Red Hat AMQ Streams 2.7.0", "release_date": "2024-05-30T00:00:00Z"}, {"advisory": "RHSA-2024:4884", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4::el6", "product_name": "Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2", "release_date": "2024-07-25T00:00:00Z"}, {"advisory": "RHSA-2024:2705", "cpe": "cpe:/a:redhat:quarkus:3.2::el8", "package": "io.netty/netty-codec-http:4.1.108.Final-redhat-00001", "product_name": "Red Hat build of Quarkus 3.2.12.Final", "release_date": "2024-05-09T00:00:00Z"}, {"advisory": "RHSA-2024:2106", "cpe": "cpe:/a:redhat:quarkus:3.8::el8", "package": "io.netty/netty-codec-http:4.1.108.Final-redhat-00001", "product_name": "Red Hat build of Quarkus 3.8.4.redhat", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:4460", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "package": "netty-codec-http", "product_name": "Red Hat Data Grid", "release_date": "2024-07-10T00:00:00Z"}, {"advisory": "RHSA-2024:5147", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "netty-codec-http", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-0:4.1.108-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-transport-native-epoll-0:4.1.108-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-xnio-transport-0:0.1.10-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-0:4.1.108-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-transport-native-epoll-0:4.1.108-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-xnio-transport-0:0.1.10-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-0:4.1.108-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-transport-native-epoll-0:4.1.108-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-xnio-transport-0:0.1.10-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5482", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package": "netty-codec-http", "product_name": "Red Hat JBoss Enterprise Application Platform 8", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-commons-beanutils-0:1.9.4-13.redhat_00004.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-guava-libraries-0:33.0.0-1.jre_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jakarta-servlet-api-0:6.0.0-5.redhat_00006.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jaxb-0:4.0.5-2.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jboss-openjdk-orb-0:10.1.0-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-netty-0:4.1.108-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-wsdl4j-0:1.6.3-5.redhat_00008.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-activemq-artemis-0:2.21.0-5.redhat_00052.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-angus-0:2.0.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-angus-activation-0:2.0.1-3.redhat_00006.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-beanutils-0:1.9.4-13.redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-cli-0:1.4.0-2.redhat_00003.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-codec-0:1.15.0-6.redhat_00016.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-cxf-0:4.0.4-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-cxf-xjc-utils-0:4.0.0-5.redhat_00003.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-mime4j-0:0.8.11-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-sshd-0:2.12.1-2.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-bouncycastle-0:1.78.1-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-byte-buddy-0:1.14.18-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-caffeine-0:3.1.8-2.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-eap-product-conf-parent-0:800.3.0-2.GA_redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-guava-failureaccess-0:1.0.2-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-guava-libraries-0:33.0.0-1.jre_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-hal-console-0:3.6.19-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-hornetq-0:2.4.9-4.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-httpcomponents-asyncclient-0:4.1.5-3.redhat_00005.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-httpcomponents-client-0:4.5.14-4.redhat_00012.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-httpcomponents-core-0:4.4.16-4.redhat_00010.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-infinispan-0:14.0.30-2.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jakarta-json-api-0:2.1.3-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jakarta-mail-0:2.1.3-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jakarta-servlet-api-0:6.0.0-5.redhat_00006.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jakarta-websocket-0:2.1.1-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jakarta-xml-bind-api-0:4.0.1-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jandex-0:3.0.8-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jasypt-0:1.9.3-4.redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-java-classmate-0:1.5.1-3.redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jaxb-0:4.0.5-2.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jboss-metadata-0:16.0.0-3.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jboss-openjdk-orb-0:10.1.0-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jbossws-cxf-0:7.1.0-1.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-joda-time-0:2.12.7-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jsf-impl-0:4.0.7-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-mod_cluster-0:2.0.3-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-neethi-0:3.2.0-1.redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-netty-0:4.1.108-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-netty-transport-native-epoll-0:4.1.108-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-netty-xnio-transport-0:0.1.10-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-opensaml-0:4.2.0-4.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-parsson-0:1.1.5-2.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-reactivex-rxjava-0:3.1.8-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-resteasy-0:6.2.7-2.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-slf4j-0:2.0.13-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-stax2-api-0:4.2.2-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-velocity-0:2.3.0-3.redhat_00009.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-weld-core-0:5.1.2-2.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wildfly-0:8.0.3-9.GA_redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wildfly-discovery-0:1.3.0-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wildfly-elytron-0:2.2.6-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wsdl4j-0:1.6.3-5.redhat_00008.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wss4j-0:3.0.3-1.redhat_00008.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-xml-security-0:3.0.4-1.redhat_00005.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-yasson-0:3.0.3-3.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:2833", "cpe": "cpe:/a:redhat:service_registry:2.5", "package": "netty-codec-http", "product_name": "RHINT Service Registry 2.5.11 GA", "release_date": "2024-05-14T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/client-kn-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:1.12.0-6", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-controller-rhel8:1.12.0-6", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:1.12.0-6", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:1.12.0-6", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-istio-controller-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-kafka-broker-controller-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-kafka-broker-dispatcher-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-kafka-broker-post-install-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-kafka-broker-receiver-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-kafka-broker-webhook-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:1.12.0-6", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:1.12.0-6", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:1.12.0-6", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-mtping-rhel8:1.12.0-6", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:1.12.0-6", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/eventing-webhook-rhel8:1.12.0-6", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/func-utils-rhel8:1.33.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/ingress-rhel8-operator:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/knative-rhel8-operator:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/kourier-control-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/net-istio-controller-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/net-istio-webhook-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/serverless-operator-bundle:1.33.0-6", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/serverless-rhel8-operator:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/serving-activator-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/serving-autoscaler-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/serving-controller-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/serving-queue-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/serving-webhook-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.33.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1-tech-preview/backstage-plugins-eventmesh-rhel8:1.33.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:4028", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1-tech-preview/knative-client-plugin-event-sender-rhel8:1.12.0-4", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:9571", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Streams for Apache Kafka 2.8.0", "release_date": "2024-11-13T00:00:00Z"}], "bugzilla": {"description": "netty-codec-http: Allocation of Resources Without Limits or Throttling", "id": "2272907", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272907"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-770", "details": ["Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.", "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-29025", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Not affected", "package_name": "netty-codec-http", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "netty-codec-http", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Will not fix", "package_name": "netty-codec-http", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Out of support scope", "package_name": "netty-codec-http", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Will not fix", "package_name": "netty-codec-http", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Will not fix", "package_name": "io.netty/netty-codec-http", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "netty-codec-http", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "netty-codec-http", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Affected", "package_name": "netty-codec-http", "product_name": "Red Hat Integration Camel Quarkus 2"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "netty-codec-http", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Will not fix", "package_name": "netty-codec-http", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "netty-codec-http", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Will not fix", "package_name": "netty-codec-http", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Out of support scope", "package_name": "netty-codec-http", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2024-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-29025\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-29025\nhttps://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3\nhttps://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c\nhttps://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v\nhttps://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812"], "statement": "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.", "threat_severity": "Moderate"}

{}