What is CVE-2024-36121?

CVE-2024-36121 is a medium-severity vulnerability in Netty Netty-incubator-codec-ohttp, classified under Information Disclosure. CVSS score: 5.9/10. Published 2024-06-04.

How severe is CVE-2024-36121?

Medium severity. CVSS v3 base score is 5.9 out of 10.

Information disclosure in Netty Netty-incubator-codec-ohttp

CVE-2024-36121

netty-incubator-codec-ohttp is the OHTTP implementation for netty. BoringSSLAEADContext keeps track of how many OHTTP responses have been sent and uses this sequence number to calculate the appropriate nonce to use with the encryption alg…

Vulnerability class: Information Disclosure

EPSS: 0.004 (61.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N.

Affected products

Netty Netty-incubator-codec-ohttp — versions >= 0.0.3.Final, < 0.0.11.Final

Weakness classification (CWE)

CWE-200 — Information Disclosure
CWE-190 — Integer Overflow or Wraparound
CWE-323 — Reusing a Nonce, Key Pair in Encryption

References

https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-g762-h86w-8749 (x_refsource_CONFIRM)
https://github.com/netty/netty-incubator-codec-ohttp/blob/1ddadb6473cd3be5491d114431ed4c1a9f316001/codec-ohttp-hpke-classes-boringssl/src/main/java/io/netty/incubator/codec/hpke/boringssl/BoringSSLAEADContext.java#L112-L114 (x_refsource_MISC)

Frequently asked questions

What is CVE-2024-36121?: CVE-2024-36121 is a medium-severity vulnerability in Netty Netty-incubator-codec-ohttp, classified under Information Disclosure. CVSS score: 5.9/10. Published 2024-06-04.
How severe is CVE-2024-36121?: Medium severity. CVSS v3 base score is 5.9 out of 10.