Search for vulnerabilities
Vulnerability details: VCID-4vwg-qv93-6qbn
Vulnerability ID VCID-4vwg-qv93-6qbn
Aliases CVE-2022-24823
GHSA-269q-hmxg-m83q
Summary Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-378 Creation of Temporary File With Insecure Permissions
CWE-379 Creation of Temporary File in Directory with Insecure Permissions
CWE-668 Exposure of Resource to Wrong Sphere
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24823.json
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2022-24823
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2022-24823
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2022-24823
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2022-24823
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2022-24823
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2022-24823
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2022-24823
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2022-24823
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2022-24823
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2022-24823
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2022-24823
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2022-24823
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2022-24823
cvssv3.1 6.2 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-269q-hmxg-m83q
cvssv3.1 5.5 https://github.com/netty/netty
generic_textual MODERATE https://github.com/netty/netty
cvssv3.1 5.5 https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
generic_textual MODERATE https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
ssvc Track https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
cvssv3.1 5.5 https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
cvssv3.1_qr MODERATE https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
generic_textual MODERATE https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
ssvc Track https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
cvssv3.1 5.5 https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
generic_textual MODERATE https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
ssvc Track https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
cvssv2 1.9 https://nvd.nist.gov/vuln/detail/CVE-2022-24823
cvssv3.1 5.5 https://nvd.nist.gov/vuln/detail/CVE-2022-24823
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-24823
cvssv3.1 5.5 https://security.netapp.com/advisory/ntap-20220616-0004
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20220616-0004
cvssv3.1 5.5 https://security.netapp.com/advisory/ntap-20220616-0004/
ssvc Track https://security.netapp.com/advisory/ntap-20220616-0004/
cvssv3.1 5.5 https://www.oracle.com/security-alerts/cpujul2022.html
generic_textual MODERATE https://www.oracle.com/security-alerts/cpujul2022.html
ssvc Track https://www.oracle.com/security-alerts/cpujul2022.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24823.json
https://api.first.org/data/v1/epss?cve=CVE-2022-24823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/netty/netty
https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
https://nvd.nist.gov/vuln/detail/CVE-2022-24823
https://security.netapp.com/advisory/ntap-20220616-0004
https://security.netapp.com/advisory/ntap-20220616-0004/
https://www.oracle.com/security-alerts/cpujul2022.html
1010693 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010693
2087186 https://bugzilla.redhat.com/show_bug.cgi?id=2087186
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
GHSA-269q-hmxg-m83q https://github.com/advisories/GHSA-269q-hmxg-m83q
RHSA-2022:5892 https://access.redhat.com/errata/RHSA-2022:5892
RHSA-2022:5893 https://access.redhat.com/errata/RHSA-2022:5893
RHSA-2022:5894 https://access.redhat.com/errata/RHSA-2022:5894
RHSA-2022:5928 https://access.redhat.com/errata/RHSA-2022:5928
RHSA-2022:6819 https://access.redhat.com/errata/RHSA-2022:6819
RHSA-2022:6916 https://access.redhat.com/errata/RHSA-2022:6916
RHSA-2022:8524 https://access.redhat.com/errata/RHSA-2022:8524
RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652
RHSA-2023:3223 https://access.redhat.com/errata/RHSA-2023:3223
RHSA-2023:5165 https://access.redhat.com/errata/RHSA-2023:5165
USN-7284-1 https://usn.ubuntu.com/7284-1/
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24823.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/netty/netty
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:48:11Z/ Found at https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:48:11Z/ Found at https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:48:11Z/ Found at https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-24823
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-24823
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20220616-0004
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20220616-0004/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:48:11Z/ Found at https://security.netapp.com/advisory/ntap-20220616-0004/
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://www.oracle.com/security-alerts/cpujul2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:48:11Z/ Found at https://www.oracle.com/security-alerts/cpujul2022.html
Exploit Prediction Scoring System (EPSS)
Percentile 0.51503
EPSS Score 0.00285
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:19:56.050062+00:00 Ubuntu USN Importer Import https://usn.ubuntu.com/7284-1/ 36.1.3