← Back to CVEs
CVE-2024-36121
MEDIUM5.9
Description
netty-incubator-codec-ohttp is the OHTTP implementation for netty. BoringSSLAEADContext keeps track of how many OHTTP responses have been sent and uses this sequence number to calculate the appropriate nonce to use with the encryption algorithm. Unfortunately, two separate errors combine which would allow an attacker to cause the sequence number to overflow and thus the nonce to repeat.
CVE Details
CVSS v3.1 Score5.9
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredNONE
User InteractionREQUIRED
Published6/4/2024
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
netty:netty-incubator-codec-ohttp
Weaknesses (CWE)
CWE-190CWE-200CWE-323CWE-190
References
https://github.com/netty/netty-incubator-codec-ohttp/blob/1ddadb6473cd3be5491d114431ed4c1a9f316001/codec-ohttp-hpke-classes-boringssl/src/main/java/io/netty/incubator/codec/hpke/boringssl/BoringSSLAEADContext.java#L112-L114(security-advisories@github.com)
https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-g762-h86w-8749(security-advisories@github.com)
https://github.com/netty/netty-incubator-codec-ohttp/blob/1ddadb6473cd3be5491d114431ed4c1a9f316001/codec-ohttp-hpke-classes-boringssl/src/main/java/io/netty/incubator/codec/hpke/boringssl/BoringSSLAEADContext.java#L112-L114(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-g762-h86w-8749(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.