[
https://issues.apache.org/jira/browse/ATLAS-4853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Disha Talreja updated ATLAS-4853:
---------------------------------
Fix Version/s: 2.4.0
> Upgrade Netty to 4.1.108.Final
> ------------------------------
>
> Key: ATLAS-4853
> URL: https://issues.apache.org/jira/browse/ATLAS-4853
> Project: Atlas
> Issue Type: Task
> Components: atlas-core
> Reporter: Disha Talreja
> Assignee: Disha Talreja
> Priority: Major
> Fix For: 2.4.0
>
> Attachments: ATLAS-4853.patch
>
>
> Upgrade Netty to 4.1.108.Final
> Netty is an asynchronous event-driven network application framework for rapid
> development of maintainable high performance protocol servers & clients. The
> `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder
> can store items on the disk if configured so, there are no limits to the
> number of fields the form can have, an attacher can send a chunked post
> consisting of many small fields that will be accumulated in the
> `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk`
> buffer until it can decode a field, this field can cumulate data without
> limits. This vulnerability is fixed in 4.1.108.Final.
> [https://nvd.nist.gov/vuln/detail/CVE-2024-29025]
> [https://github.com/advisories/GHSA-5jpm-x58v-624v]
> [https://ossindex.sonatype.org/vulnerability/CVE-2024-29025]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
