CVE Tools
Sign in

CVE-2022-24823

Local Information Disclosure Vulnerability in io.netty:netty-codec-http

Published: May 6, 2022Updated: Nov 21, 2024 Sources: CVE List NVD GHSA BDUCWE-378
NVD MITRE
5.5CVSSMEDIUM
EPSS Score
1.0%
Top 40.7%
CISA KEV
Not in KEV
Exploits
2 Known
Remediation
Patch Available

Description

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

CVSS Vector Breakdown

AV:LAC:LPR:LUI:NS:UC:HI:NA:N
Exploitability
AV:LAttack Vector
Local
AC:LAttack Complexity
Low
PR:LPrivileges Required
Low
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-378CWE-379CWE-668

Affected Products

nettynetty
LibraryLibrary
OSS Libraries / generic-library
financial services crime and compliance management studiooracle
On-premWeb App
Enterprise Software / itsm-monitoring
active iq unified managernetappHardware Firmware
oncommand workflow automationnetappHardware Firmware
snapcenternetappHardware Firmware
nettyoss-projectOSS Librariesaka io.netty:netty, netty-incubator-codec-ohttp
oraclecommercialUSDatabasesaka oracle corp.
netappcommercialUSHardware Firmware
and 38 more affected products View all →

Exploitability

2 exploit sources identified

Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.

View exploit details
Official Patch Available
Workaround Available

References

https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
github.com
https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
github.com
https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
github.com
and 12 more references View all →

Timeline

Published
May 6, 2022
Last Updated
Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2022-24823 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows