Helidon Oracle Helidon

Do you want an email whenever new security vulnerabilities are reported in Oracle Helidon?

By the Year

In 2022 there have been 1 vulnerability in Oracle Helidon with an average score of 8.1 out of ten. Last year Helidon had 3 security vulnerabilities published. Right now, Helidon is on track to have less security vulnerabilities in 2022 than it did last year. However, the average CVE base score of the vulnerabilities in 2022 is greater by 2.37.

Year Vulnerabilities Average Score
2022 1 8.10
2021 3 5.73
2020 0 0.00
2019 0 0.00
2018 0 0.00

It may take a day or so for new Helidon vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Oracle Helidon Security Vulnerabilities

Vulnerability in the Helidon product of Oracle Fusion Middleware (component: Reactive WebServer)

CVE-2022-21404 8.1 - High - April 19, 2022

Vulnerability in the Helidon product of Oracle Fusion Middleware (component: Reactive WebServer). Supported versions that are affected are 1.4.10 and 2.0.0-RC1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Helidon. Successful attacks of this vulnerability can result in takeover of Helidon. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients

CVE-2021-43797 6.5 - Medium - December 09, 2021

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

HTTP Request Smuggling

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//

CVE-2021-29425 4.8 - Medium - April 13, 2021

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Directory traversal

Netty is an open-source

CVE-2021-21409 5.9 - Medium - March 30, 2021

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

HTTP Request Smuggling

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Oracle Jd Edwards Enterpriseone Tools or by Oracle? Click the Watch button to subscribe.

Oracle
Vendor

subscribe