CVE-2022-24823 - netty-common vulnerable to Information Exposure due to an incomplete fix to CVE-2021-21290 #12610
Labels
area/dependencies
kind/cve
Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected
Milestone
Summary
Affected versions of this package are vulnerable to Information Exposure due to an incomplete fix to CVE-2021-21290, which still allowed one exploitable path. When netty's multipart decoders are used, local information disclosure can occur via the local system temporary directory, if temporary storing uploads on the disk is enabled.
Note: To be vulnerable, a victim application has to run on a Unix-like operating system, and with Java 6 or below.
Version
18.0.0 or higher
Impact
Low. Keycloak supports Java 8 JRE, or Java 11 JRE. Users running Java 6 are strongly encouraged to upgrade.
Remediation
Upgrade
io.netty:netty-common
to version 4.1.77.Final or higher.References
Credits
Additional information
Before updating netty-commons on Keycloak, first it is necessary to update on Quarkus directly. Until now, Quarkus is still on version 4.1.74.Final of netty-commons.
Their team is working to upgrade the dependency. After that, we need to wait for the upcoming releases.
The text was updated successfully, but these errors were encountered: