CVE-2021-37136
netty - security update
7.5
HIGH
CVSS 3.1
EPSS 1.2%
Description
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
How to fix CVE-2021-37136
To remediate CVE-2021-37136, upgrade the affected package to a fixed version below.
- Debian/netty—upgrade to 1:4.1.48-4+deb11u1 or later
- —upgrade to 1:4.1.33-1+deb10u3 or later
- —upgrade to 1:4.1.48-4+deb11u1 or later
- —no fix listed
- —upgrade to 4.1.68.Final or later
- —no fix listed
Is CVE-2021-37136 being exploited?
Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 1:4.1.48-4+deb11u1
- from 0, < 1:4.1.33-1+deb10u3
- from 0, < 1:4.1.48-4+deb11u1
- from 0
- from 0, < 4.1.68.Final
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |