Home > Vulnerability Database > CVE-2024-36121

Mend.io Vulnerability Database

CVE-2024-36121

Good to know:

Date: June 4, 2024

netty-incubator-codec-ohttp is the OHTTP implementation for netty. BoringSSLAEADContext keeps track of how many OHTTP responses have been sent and uses this sequence number to calculate the appropriate nonce to use with the encryption algorithm. Unfortunately, two separate errors combine which would allow an attacker to cause the sequence number to overflow and thus the nonce to repeat.

Language: Java

Severity Score

5.9

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-36121

Url: https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-g762-h86w-8749

Url: https://github.com/netty/netty-incubator-codec-ohttp/blob/1ddadb6473cd3be5491d114431ed4c1a9f316001/codec-ohttp-hpke-classes-boringssl/src/main/java/io/netty/incubator/codec/hpke/boringssl/BoringSSLAEADContext.java#L112-L114

Url: https://github.com/netty/netty-incubator-codec-ohttp

Url: https://www.mend.io/vulnerability-database/CVE-2024-36121

Severity Score

5.9

Weakness Type (CWE)

Integer Overflow or Wraparound

CWE-190

Information Leak / Disclosure

CWE-200

Reusing a Nonce, Key Pair in Encryption

CWE-323

Top Fix

Upgrade Version

Upgrade to version io.netty.incubator:netty-incubator-codec-ohttp-hpke-classes-boringssl:0.0.11.Final

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-36121

Good to know:

Date: June 4, 2024

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?