Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:rpm/redhat/eap7-netty-xnio-transport@0.1.10-1.Final_redhat_00001.1?arch=el7eap
Typerpm
Namespaceredhat
Nameeap7-netty-xnio-transport
Version0.1.10-1.Final_redhat_00001.1
Qualifiers
arch el7eap
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-2e6w-fs4j-17g9
vulnerability_id VCID-2e6w-fs4j-17g9
summary HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27316.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27316.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-27316
reference_id
reference_type
scores
0
value 0.89409
scoring_system epss
scoring_elements 0.9955
published_at 2026-04-18T12:55:00Z
1
value 0.89409
scoring_system epss
scoring_elements 0.99542
published_at 2026-04-02T12:55:00Z
2
value 0.89409
scoring_system epss
scoring_elements 0.99543
published_at 2026-04-04T12:55:00Z
3
value 0.89409
scoring_system epss
scoring_elements 0.99545
published_at 2026-04-11T12:55:00Z
4
value 0.89409
scoring_system epss
scoring_elements 0.99546
published_at 2026-04-13T12:55:00Z
5
value 0.89409
scoring_system epss
scoring_elements 0.99549
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-27316
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31122
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31122
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38709
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38709
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43622
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43622
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45802
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45802
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24795
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27316
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27316
8
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068412
reference_id 1068412
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068412
10
reference_url https://www.openwall.com/lists/oss-security/2024/04/03/16
reference_id 16
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-29T15:46:29Z/
url https://www.openwall.com/lists/oss-security/2024/04/03/16
11
reference_url http://seclists.org/fulldisclosure/2024/Jul/18
reference_id 18
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-29T15:46:29Z/
url http://seclists.org/fulldisclosure/2024/Jul/18
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2268277
reference_id 2268277
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2268277
13
reference_url http://www.openwall.com/lists/oss-security/2024/04/04/4
reference_id 4
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-29T15:46:29Z/
url http://www.openwall.com/lists/oss-security/2024/04/04/4
14
reference_url https://httpd.apache.org/security/json/CVE-2024-27316.json
reference_id CVE-2024-27316
reference_type
scores
url https://httpd.apache.org/security/json/CVE-2024-27316.json
15
reference_url https://security.gentoo.org/glsa/202409-31
reference_id GLSA-202409-31
reference_type
scores
url https://security.gentoo.org/glsa/202409-31
16
reference_url https://support.apple.com/kb/HT214119
reference_id HT214119
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-29T15:46:29Z/
url https://support.apple.com/kb/HT214119
17
reference_url https://access.redhat.com/errata/RHSA-2024:1786
reference_id RHSA-2024:1786
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1786
18
reference_url https://access.redhat.com/errata/RHSA-2024:1872
reference_id RHSA-2024:1872
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1872
19
reference_url https://access.redhat.com/errata/RHSA-2024:2564
reference_id RHSA-2024:2564
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2564
20
reference_url https://access.redhat.com/errata/RHSA-2024:2693
reference_id RHSA-2024:2693
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2693
21
reference_url https://access.redhat.com/errata/RHSA-2024:2694
reference_id RHSA-2024:2694
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2694
22
reference_url https://access.redhat.com/errata/RHSA-2024:2891
reference_id RHSA-2024:2891
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2891
23
reference_url https://access.redhat.com/errata/RHSA-2024:2907
reference_id RHSA-2024:2907
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2907
24
reference_url https://access.redhat.com/errata/RHSA-2024:3402
reference_id RHSA-2024:3402
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3402
25
reference_url https://access.redhat.com/errata/RHSA-2024:3417
reference_id RHSA-2024:3417
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3417
26
reference_url https://access.redhat.com/errata/RHSA-2024:4390
reference_id RHSA-2024:4390
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4390
27
reference_url https://access.redhat.com/errata/RHSA-2025:16668
reference_id RHSA-2025:16668
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:16668
28
reference_url https://usn.ubuntu.com/6729-1/
reference_id USN-6729-1
reference_type
scores
url https://usn.ubuntu.com/6729-1/
29
reference_url https://usn.ubuntu.com/6729-2/
reference_id USN-6729-2
reference_type
scores
url https://usn.ubuntu.com/6729-2/
30
reference_url https://usn.ubuntu.com/6729-3/
reference_id USN-6729-3
reference_type
scores
url https://usn.ubuntu.com/6729-3/
fixed_packages
aliases CVE-2024-27316
risk_score 10.0
exploitability 2.0
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2e6w-fs4j-17g9
1
url VCID-rewk-dvth-tubh
vulnerability_id VCID-rewk-dvth-tubh
summary 
Netty's HttpPostRequestDecoder can OOM
### Summary
The `HttpPostRequestDecoder` can be tricked to accumulate data. I have spotted currently two attack vectors 

### Details
1. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list.
2. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits

### PoC

Here is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder


Here is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3

### Impact
Any Netty based HTTP server that uses the `HttpPostRequestDecoder` to decode a form.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29025.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29025.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-29025
reference_id
reference_type
scores
0
value 0.00261
scoring_system epss
scoring_elements 0.49387
published_at 2026-04-07T12:55:00Z
1
value 0.00261
scoring_system epss
scoring_elements 0.49407
published_at 2026-04-02T12:55:00Z
2
value 0.00261
scoring_system epss
scoring_elements 0.49442
published_at 2026-04-08T12:55:00Z
3
value 0.00261
scoring_system epss
scoring_elements 0.49434
published_at 2026-04-04T12:55:00Z
4
value 0.00268
scoring_system epss
scoring_elements 0.50306
published_at 2026-04-11T12:55:00Z
5
value 0.00268
scoring_system epss
scoring_elements 0.50278
published_at 2026-04-09T12:55:00Z
6
value 0.00268
scoring_system epss
scoring_elements 0.50279
published_at 2026-04-12T12:55:00Z
7
value 0.00324
scoring_system epss
scoring_elements 0.55489
published_at 2026-04-13T12:55:00Z
8
value 0.00324
scoring_system epss
scoring_elements 0.55529
published_at 2026-04-18T12:55:00Z
9
value 0.00324
scoring_system epss
scoring_elements 0.55508
published_at 2026-04-21T12:55:00Z
10
value 0.00324
scoring_system epss
scoring_elements 0.55525
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-29025
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29025
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29025
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T15:54:48Z/
url https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
5
reference_url https://github.com/netty/netty
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/netty/netty
6
reference_url https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T15:54:48Z/
url https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
7
reference_url https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T15:54:48Z/
url https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
8
reference_url https://github.com/vietj/netty/tree/post-request-decoder
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vietj/netty/tree/post-request-decoder
9
reference_url https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T15:54:48Z/
url https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-29025
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-29025
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068110
reference_id 1068110
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068110
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2272907
reference_id 2272907
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2272907
13
reference_url https://github.com/advisories/GHSA-5jpm-x58v-624v
reference_id GHSA-5jpm-x58v-624v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5jpm-x58v-624v
14
reference_url https://access.redhat.com/errata/RHSA-2024:3550
reference_id RHSA-2024:3550
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3550
15
reference_url https://access.redhat.com/errata/RHSA-2024:4460
reference_id RHSA-2024:4460
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4460
16
reference_url https://access.redhat.com/errata/RHSA-2024:5479
reference_id RHSA-2024:5479
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:5479
17
reference_url https://access.redhat.com/errata/RHSA-2024:5481
reference_id RHSA-2024:5481
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:5481
18
reference_url https://access.redhat.com/errata/RHSA-2024:5482
reference_id RHSA-2024:5482
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:5482
19
reference_url https://access.redhat.com/errata/RHSA-2024:6657
reference_id RHSA-2024:6657
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6657
20
reference_url https://usn.ubuntu.com/7284-1/
reference_id USN-7284-1
reference_type
scores
url https://usn.ubuntu.com/7284-1/
fixed_packages
aliases CVE-2024-29025, GHSA-5jpm-x58v-624v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rewk-dvth-tubh
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:rpm/redhat/eap7-netty-xnio-transport@0.1.10-1.Final_redhat_00001.1%3Farch=el7eap