VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-aju4-13wq-j3az

Essentials
Severities (39)
References (24)
Severity details (25)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-aju4-13wq-j3az
Aliases	CVE-2023-34462 GHSA-6mjq-h674-j845
Summary	netty-handler SniHandler 16MB allocation ### Summary The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. ### Details The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler` 1/ allocate a 16MB `ByteBuf` 2/ not fail `decode` method `in` buffer 3/ get out of the loop without an exception The combination of this without the use of a timeout makes easy to connect to a TCP server and allocate 16MB of heap memory per connection. ### Impact If the user has no idle timeout handler configured it might be possible for a remote peer to send a client hello packet which lead the server to buffer up to 16MB of data per connection. This could lead to a OutOfMemoryError and so result in a DDOS.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-400	Uncontrolled Resource Consumption
CWE-770	Allocation of Resources Without Limits or Throttling
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	6.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-34462.json
epss	0.00416	https://api.first.org/data/v1/epss?cve=CVE-2023-34462
epss	0.00416	https://api.first.org/data/v1/epss?cve=CVE-2023-34462
epss	0.00416	https://api.first.org/data/v1/epss?cve=CVE-2023-34462
epss	0.00416	https://api.first.org/data/v1/epss?cve=CVE-2023-34462
epss	0.00416	https://api.first.org/data/v1/epss?cve=CVE-2023-34462
epss	0.00416	https://api.first.org/data/v1/epss?cve=CVE-2023-34462
epss	0.00519	https://api.first.org/data/v1/epss?cve=CVE-2023-34462
epss	0.00519	https://api.first.org/data/v1/epss?cve=CVE-2023-34462
epss	0.00519	https://api.first.org/data/v1/epss?cve=CVE-2023-34462
epss	0.00519	https://api.first.org/data/v1/epss?cve=CVE-2023-34462
epss	0.00519	https://api.first.org/data/v1/epss?cve=CVE-2023-34462
epss	0.00563	https://api.first.org/data/v1/epss?cve=CVE-2023-34462
epss	0.00563	https://api.first.org/data/v1/epss?cve=CVE-2023-34462
epss	0.00563	https://api.first.org/data/v1/epss?cve=CVE-2023-34462
cvssv3.1	6.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-6mjq-h674-j845
cvssv3.1	6.5	https://github.com/netty/netty
generic_textual	MODERATE	https://github.com/netty/netty
cvssv3.1	6.5	https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32
generic_textual	MODERATE	https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32
ssvc	Track	https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32
cvssv3.1	6.5	https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
cvssv3.1_qr	MODERATE	https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
generic_textual	MODERATE	https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
ssvc	Track	https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
cvssv3.1	6.5	https://nvd.nist.gov/vuln/detail/CVE-2023-34462
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-34462
cvssv3.1	6.5	https://security.netapp.com/advisory/ntap-20230803-0001
generic_textual	MODERATE	https://security.netapp.com/advisory/ntap-20230803-0001
cvssv3.1	6.5	https://security.netapp.com/advisory/ntap-20230803-0001/
ssvc	Track	https://security.netapp.com/advisory/ntap-20230803-0001/
cvssv3.1	6.5	https://security.netapp.com/advisory/ntap-20240621-0007
generic_textual	MODERATE	https://security.netapp.com/advisory/ntap-20240621-0007
cvssv3.1	6.5	https://security.netapp.com/advisory/ntap-20240621-0007/
ssvc	Track	https://security.netapp.com/advisory/ntap-20240621-0007/
cvssv3.1	6.5	https://www.debian.org/security/2023/dsa-5558
generic_textual	MODERATE	https://www.debian.org/security/2023/dsa-5558
ssvc	Track	https://www.debian.org/security/2023/dsa-5558

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-34462.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-34462
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34462
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/netty/netty
		https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32
		https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
		https://nvd.nist.gov/vuln/detail/CVE-2023-34462
		https://security.netapp.com/advisory/ntap-20230803-0001
		https://security.netapp.com/advisory/ntap-20230803-0001/
		https://security.netapp.com/advisory/ntap-20240621-0007
		https://security.netapp.com/advisory/ntap-20240621-0007/
		https://www.debian.org/security/2023/dsa-5558
1038947		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038947
2216888		https://bugzilla.redhat.com/show_bug.cgi?id=2216888
cpe:2.3:a:netty:netty::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netty:netty::::::::
GHSA-6mjq-h674-j845		https://github.com/advisories/GHSA-6mjq-h674-j845
RHSA-2023:5165		https://access.redhat.com/errata/RHSA-2023:5165
RHSA-2023:5441		https://access.redhat.com/errata/RHSA-2023:5441
RHSA-2023:5946		https://access.redhat.com/errata/RHSA-2023:5946
RHSA-2023:7669		https://access.redhat.com/errata/RHSA-2023:7669
RHSA-2023:7697		https://access.redhat.com/errata/RHSA-2023:7697
RHSA-2024:0148		https://access.redhat.com/errata/RHSA-2024:0148
USN-6994-1		https://usn.ubuntu.com/6994-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-34462.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/netty/netty

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T18:36:13Z/ Found at https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T18:36:13Z/ Found at https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-34462

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20230803-0001

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20230803-0001/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T18:36:13Z/ Found at https://security.netapp.com/advisory/ntap-20230803-0001/

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20240621-0007

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20240621-0007/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T18:36:13Z/ Found at https://security.netapp.com/advisory/ntap-20240621-0007/

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://www.debian.org/security/2023/dsa-5558

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T18:36:13Z/ Found at https://www.debian.org/security/2023/dsa-5558

Exploit Prediction Scoring System (EPSS)

Percentile	0.60767
EPSS Score	0.00416
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:15:56.929570+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-6mjq-h674-j845/GHSA-6mjq-h674-j845.json	36.1.3