You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We kept hoping that it was a matter of days/cache... but the vulnerability was withdrawn on the 16th of January and today (30.01) we still see it on ODT side.
Could you please help us understand why and if there's something to be done in order to no longer receive it? It's quite confusing for our developers.
Thank you very much for your help!
Best regards,
Andreea
submit the SBOM to ODT -> check the UI/download the SBOM with the vulnerabilities:
{
"bom-ref": "dbaf455b-bbcc-4999-9fa4-21b2d53bfc8a",
"id": "GHSA-q4h9-7rxj-7gx2",
"source": {
"name": "GITHUB",
"url": "https://github.com/advisories"
},
"ratings": [
{
"source": {
"name": "GITHUB",
"url": "https://github.com/advisories"
},
"severity": "medium",
"method": "other"
}
],
"description": "### Summary Note: i'm reporting this in this way purely because it's private and i don't want to broadcast vulnerabilities. > An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115. ### Details https://github.com/redis/lettuce/blob/main/pom.xml#L67C9-L67C53 The netty version pinned here is currently <netty.version>4.1.113.Final</netty.version> This version is vulnerable according to Snyk and is affecting one of our products: Here is a link to the CVE ### PoC Complete instructions, including specific configuration details, to reproduce the vulnerability. Not applicable ### Impact What kind of vulnerability is it? Who is impacted? Denial of Service, affecting Windows users.",
"published": "2024-12-02T20:03:03Z",
"updated": "2024-12-23T18:14:37Z",
"affects": [
{
"ref": "069d6cfa-6628-407a-8fa7-59e8f65f8a42"
}
]
}
Expected Behavior
We would expect to receive this vulnerability only on projects that have a dependency on netty and not on lettuce according to the withdrawal:
"Withdrawn Advisory
This advisory has been withdrawn because users of Lettuce may independently exclude vulnerable versions of Netty from their dependencies, and those users should not receive alerts for GHSA-xq3w-v528-46rv. This link is maintained to preserve external references."
Current Behavior
Hello,
ODT returns/reports that GHSA-q4h9-7rxj-7gx2 is present on projects having a dependency on lettuc:
The issue is that the GHSA-q4h9-7rxj-7gx2 is falgged as withdrawn on GHSA side:
GHSA-q4h9-7rxj-7gx2
We kept hoping that it was a matter of days/cache... but the vulnerability was withdrawn on the 16th of January and today (30.01) we still see it on ODT side.
Could you please help us understand why and if there's something to be done in order to no longer receive it? It's quite confusing for our developers.
Thank you very much for your help!
Best regards,
Andreea
Steps to Reproduce
{
"publisher": "lettuce.io",
"group": "io.lettuce",
"name": "lettuce-core",
"version": "6.4.2.RELEASE",
"description": "Advanced and thread-safe Java Redis client for synchronous, asynchronous, and reactive usage. Supports Cluster, Sentinel, Pipelining, Auto-Reconnect, Codecs and much more.",
"scope": "required",
"hashes": [
{
"alg": "MD5",
"content": "fc1b3d140c25cebf417530bd548d900d"
},
{
"alg": "SHA-1",
"content": "8969c20697c74b71288d4d5e69b0fec4047d3d6d"
},
{
"alg": "SHA-256",
"content": "7add1bbaa54805a6b3fd0fbf206ef87cd17c288677c410173cbb9f6d0c8d601a"
},
{
"alg": "SHA-512",
"content": "91086306843969fc9c44882286e3e747b67fe73f37bb2bf247ed686b00f73778aa1b06c8e718de51f4691045b6c0caf238f7c05789a67bd6bae05d1ababc4350"
},
{
"alg": "SHA-384",
"content": "1c646aa05e612272d19239e03044fb69595dcb5b8ade45e166a5e0f7ca86997508939c40189e3431ba21c97c3318ace4"
},
{
"alg": "SHA3-384",
"content": "884d395d07faa8f35e9f37009299a3e3d9cdf7cb38b748a412db12922c5b53bf62aa9529eb2f3c7291c302aec9693b63"
},
{
"alg": "SHA3-256",
"content": "a2267a4aab932a3dfb03871675e8b1ba19f7bcbd600fe6dc60f34e3baeff095d"
},
{
"alg": "SHA3-512",
"content": "bd6d0c0f3035117b70820647e57ab3429ee57e896eb16c6f0362d0def68e7a858b850aded71f24d51414480629556addc7b30178e57e1dfa233670484bb3b7b5"
}
],
"licenses": [
{
"license": {
"id": "MIT",
"url": "https://opensource.org/license/mit/"
}
}
],
"purl": "pkg:maven/io.lettuce/[email protected]?type=jar",
"externalReferences": [
{
"type": "website",
"url": "http://github.com/lettuce-io/lettuce-core"
},
{
"type": "issue-tracker",
"url": "https://github.com/lettuce-io/lettuce-core/issues"
},
{
"type": "vcs",
"url": "http://github.com/lettuce-io/lettuce-core"
}
],
"type": "library",
"bom-ref": "pkg:maven/io.lettuce/[email protected]?type=jar",
"properties": [
{
"name": "SrcFile",
"value": "/tmp/GH_AIRSPACE/prgoffer-offers-api-rest/prgoffer-offers-api-rest/pom.xml"
}
],
"evidence": {
"identity": {
"field": "purl",
"confidence": 0.8,
"methods": [
{
"technique": "manifest-analysis",
"confidence": 0.8,
"value": "/tmp/GH_AIRSPACE/prgoffer-offers-api-rest/prgoffer-offers-api-rest/pom.xml"
}
]
}
}
},
"bom-ref": "dbaf455b-bbcc-4999-9fa4-21b2d53bfc8a",
"id": "GHSA-q4h9-7rxj-7gx2",
"source": {
"name": "GITHUB",
"url": "https://github.com/advisories"
},
"ratings": [
{
"source": {
"name": "GITHUB",
"url": "https://github.com/advisories"
},
"severity": "medium",
"method": "other"
}
],
"description": "### Summary Note: i'm reporting this in this way purely because it's private and i don't want to broadcast vulnerabilities. > An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115. ### Details https://github.com/redis/lettuce/blob/main/pom.xml#L67C9-L67C53 The netty version pinned here is currently
<netty.version>4.1.113.Final</netty.version>This version is vulnerable according to Snyk and is affecting one of our products:"published": "2024-12-02T20:03:03Z",
"updated": "2024-12-23T18:14:37Z",
"affects": [
{
"ref": "069d6cfa-6628-407a-8fa7-59e8f65f8a42"
}
]
}
Expected Behavior
We would expect to receive this vulnerability only on projects that have a dependency on netty and not on lettuce according to the withdrawal:
"Withdrawn Advisory
This advisory has been withdrawn because users of Lettuce may independently exclude vulnerable versions of Netty from their dependencies, and those users should not receive alerts for GHSA-xq3w-v528-46rv. This link is maintained to preserve external references."
Dependency-Track Version
4.12.2
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist
The text was updated successfully, but these errors were encountered: