[ https://issues.apache.org/jira/browse/ATLAS-4806?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17815783#comment-17815783 ]
ASF subversion and git services commented on ATLAS-4806: -------------------------------------------------------- Commit 04645652d7918ad96911fde06a06b6a142befa64 in atlas's branch refs/heads/branch-2.0 from Disha Talreja [ https://gitbox.apache.org/repos/asf?p=atlas.git;h=04645652d ] ATLAS-4806: Upgrade netty to 4.1.100.Final due to CVE-2023-44487 Signed-off-by: radhikakundam <radhikakun...@apache.org> (cherry picked from commit f9df3293d74e10894ab4730ad2b8ccc593d8bc04) > Upgrade netty to 4.1.100.Final due to CVE-2023-44487 > ---------------------------------------------------- > > Key: ATLAS-4806 > URL: https://issues.apache.org/jira/browse/ATLAS-4806 > Project: Atlas > Issue Type: Task > Components: atlas-core > Reporter: Disha Talreja > Assignee: Disha Talreja > Priority: Major > Attachments: ATLAS-4806.patch > > > CVE-2023-44487 > The HTTP/2 protocol allows a denial of service (server resource consumption) > because request cancellation can reset many streams quickly, as exploited in > the wild in August through October 2023. > *Base Score:* [7.5 > HIGH|https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-44487&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1&source=NIST] > There is a known exploit for this vulnerability, so we need to prioritise > this despite it being a High severity CVE and not a critical. > [https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p] > h4. -- This message was sent by Atlassian Jira (v8.20.10#820010)