HIGH 8.1

GHSA-3qp7-7mw8-wx86

Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking

Details

### Summary An attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions.

### Details `io.netty.handler.ipfilter.IpSubnetFilterRule#compareTo(java.net.InetSocketAddress)` method performs a bitwise AND between the incoming IP address and the configured networkAddress, instead of the subnetMask.

### Impact Access Control Bypass. Attacker can bypass IpSubnetFilter IPv6 access controls.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / io.netty:netty-handler

Introduced in: 4.2.0.Final Fixed in: 4.2.15.Final

Fix # pom.xml: bump <version>4.2.15.Final</version> for io.netty:netty-handler

Maven / io.netty:netty-handler

Introduced in: 0 Fixed in: 4.1.135.Final

Fix # pom.xml: bump <version>4.1.135.Final</version> for io.netty:netty-handler

Details

Are you affected?

Affected packages

References