[GHSA-fghv-69vj-qj49] Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions

[yawkat]

Updates

• CVSS v4
• Severity

Comments
Netty advisory is marked as 'low': GHSA-fghv-69vj-qj49

[github]

Hi there @normanmaurer! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull Request Overview

Updates the security advisory for Netty vulnerability GHSA-fghv-69vj-qj49 to align with the upstream severity assessment, changing from HIGH to LOW severity and removing the CVSS v4 score.

• Removed CVSS v4 scoring data from the severity section
• Changed the overall severity classification from HIGH to LOW

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[normanmaurer]

Yes that looks correct

[shelbyc]

Hi @yawkat and @normanmaurer, do we need to reassess the CVSS for the CVE record or just change the severity in the global advisory?

I tried adding the exploit maturity metric to the current CVSS and got https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P, 6.9/medium.

If we lower the confidentiality impact to VC:L, the CVSS becomes https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P, 2.9/low.

[yawkat]

@shelbyc we discussed it on the original disclosure (not sure you can see it) and I don't believe CVSS works well here. The impact of request smuggling is too context dependent – it could be anything from CVSS 4.0 score 0.0 all the way to 9.0.

The fact that this vulnerability is only exploitable for one particular proxy, and arguably the vulnerability is more on the proxy side, lead to the 'low' assessment.

[advisory-database]

Hi @yawkat! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!