CVE-2023-4586
Withdrawn Advisory: Netty-handler does not validate host names by default
Description
## Withdrawn Advisory This advisory has been withdrawn because the underlying vulnerability only concerns Red Hat's Hot Rod client, which is not in one of the GitHub Advisory Database's [supported ecosystems](https://github.com/github/advisory-database/blob/main/README.md#supported-ecosystems). This link is maintained to preserve external references. ## Original Description Netty-handler has been found to no validate hostnames when using TLS in its default configuration. As a result netty-handler is vulnerable to man-in-the-middle attacks. Users would need to set the protocol to "HTTPS" in the SSLParameters of the SSLEngine to opt in to host name validation. A change in default behavior is expected in the `5.x` release branch with no backport planned. In the interim users are advised to enable host name validation in their configurations. See https://github.com/netty/netty/issues/8537 for details on the forthcoming change in default behavior.
How to fix CVE-2023-4586
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2023-4586 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.1.0.Final, <= 4.1.99.Final
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |