{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-37137", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "assignerShortName": "JFROG", "dateUpdated": "2023-01-12T00:00:00", "dateReserved": "2021-07-20T00:00:00", "datePublished": "2021-10-19T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2023-01-12T00:00:00"}, "descriptions": [{"lang": "en", "value": "The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk."}], "affected": [{"vendor": "The Netty project", "product": "Netty", "versions": [{"version": "unspecified", "lessThan": "4.1.68Final", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363"}, {"name": "[tinkerpop-dev] 20211025 [jira] [Created] (TINKERPOP-2632) Netty 4.1.61 flagged with two high severity security violations", "tags": ["mailing-list"], "url": "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E"}, {"name": "[druid-commits] 20211025 [GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", "tags": ["mailing-list"], "url": "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20211025 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", "tags": ["mailing-list"], "url": "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20211025 [GitHub] [druid] a2l007 commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", "tags": ["mailing-list"], "url": "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20211026 [GitHub] [druid] clintropolis merged pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", "tags": ["mailing-list"], "url": "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20211026 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", "tags": ["mailing-list"], "url": "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"url": "https://security.netapp.com/advisory/ntap-20220210-0012/"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"name": "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"}, {"name": "DSA-5316", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2023/dsa-5316"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400", "cweId": "CWE-400"}]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF41DE29-2A17-4085-9F00-811E461E36EC", "versionEndExcluding": "4.1.68", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DF2D056-3118-4C31-BEDD-69F016898CBB", "versionEndIncluding": "18.3", "versionStartIncluding": "18.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*", "matchCriteriaId": "CF34B11F-3DE1-4C22-8EB1-AEE5CE5E4172", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*", "matchCriteriaId": "86F03B63-F922-45CD-A7D1-326DB0042875", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*", "matchCriteriaId": "7CBFC93F-8B39-45A2-981C-59B187169BD4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*", "matchCriteriaId": "0843465C-F940-4FFC-998D-9A2668B75EA0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*", "matchCriteriaId": "BBE7BF09-B89C-4590-821E-6C0587E096B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*", "matchCriteriaId": "ADAE8A71-0BCD-42D5-B38C-9B2A27CC1E6B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*", "matchCriteriaId": "E7231D2D-4092-44F3-B60A-D7C9ED78AFDF", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*", "matchCriteriaId": "F7BDFC10-45A0-46D8-AB92-4A5E2C1C76ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*", "matchCriteriaId": "18127694-109C-4E7E-AE79-0BA351849291", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*", "matchCriteriaId": "33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*", "matchCriteriaId": "0D6895A6-511A-4DC6-9F9B-58E05B86BDB1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "2A3622F5-5976-4BBC-A147-FC8A6431EA79", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "6894D860-000E-439D-8AB7-07E9B2ACC31B", "versionEndExcluding": "12.0.0.4.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "FD66C717-85E0-40E7-A51F-549C8196D557", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "B6B6FE82-7BFA-481D-99D6-789B146CA18B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", "matchCriteriaId": "590ADE5F-0D0F-4576-8BA6-828758823442", "versionEndIncluding": "8.5.0.2", "versionStartIncluding": "8.0.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "matchCriteriaId": "7E1E416B-920B-49A0-9523-382898C2979D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D6A4F71A-4269-40FC-8F61-1D1301F2B728", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "5A502118-5B2B-47AE-82EC-1999BD841103", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "6677F86F-5933-460E-B978-23A4C1407CB0", "versionEndExcluding": "2.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk."}, {"lang": "es", "value": "La funci\u00f3n Snappy frame decoder no restringe la longitud de los trozos, lo que puede conllevar a un uso excesivo de memoria. Adem\u00e1s, tambi\u00e9n puede almacenar en el b\u00fafer trozos omitibles reservados hasta que se reciba el trozo completo, lo que tambi\u00e9n puede conllevar a un uso excesivo de memoria. Esta vulnerabilidad puede desencadenarse al suministrar una entrada maliciosa que se descomprime a un tama\u00f1o muy grande (por medio de un flujo de red o un archivo) o mediante el env\u00edo de un trozo omitido enorme"}], "id": "CVE-2021-37137", "lastModified": "2023-11-07T03:36:54.510", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-19T15:15:07.757", "references": [{"source": "reefs@jfrog.com", "tags": ["Third Party Advisory"], "url": "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363"}, {"source": "reefs@jfrog.com", "url": "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E"}, {"source": "reefs@jfrog.com", "url": "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E"}, {"source": "reefs@jfrog.com", "url": "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E"}, {"source": "reefs@jfrog.com", "url": "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E"}, {"source": "reefs@jfrog.com", "url": "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E"}, {"source": "reefs@jfrog.com", "url": "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E"}, {"source": "reefs@jfrog.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"}, {"source": "reefs@jfrog.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220210-0012/"}, {"source": "reefs@jfrog.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5316"}, {"source": "reefs@jfrog.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "reefs@jfrog.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "reefs@jfrog.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "reefs@jfrog.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "reefs@jfrog.com", "type": "Secondary"}]}

{}