5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-4586

GHSA ID

GHSA-57m8-f3v5-hm5m

EPSS Score

0.33354%

CWE

CWE-295

Published

10/4/2023

Updated

11/10/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-4586

CVE-2023-4586: Withdrawn Advisory: Netty-handler does not validate host names by default

Withdrawn Advisory

This advisory has been withdrawn because the underlying vulnerability only concerns Red Hat's Hot Rod client, which is not in one of the GitHub Advisory Database's supported ecosystems. This link is maintained to preserve external references.

Original Description

Netty-handler has been found to no validate hostnames when using TLS in its default configuration. As a result netty-handler is vulnerable to man-in-the-middle attacks. Users would need to set the protocol to "HTTPS" in the SSLParameters of the SSLEngine to opt in to host name validation. A change in default behavior is expected in the 5.x release branch with no backport planned.

In the interim users are advised to enable host name validation in their configurations. See https://github.com/netty/netty/issues/8537 for details on the forthcoming change in default behavior.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-4586

CVE-2023-4586:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-4586

GHSA ID

GHSA-57m8-f3v5-hm5m

EPSS Score

0.33354%

CWE

CWE-295

Published

10/4/2023

Updated

11/10/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.netty:netty-handler	maven	>= 4.1.0.Final, <= 4.1.99.Final

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Netty's default SSL/TLS configuration not enabling hostname validation. The critical point of failure is the initialization of the SSLEngine via SslContext.newEngine, which does not set the endpoint identification algorithm to 'HTTPS' in SSLParameters. This omission bypasses certificate hostname validation. The advisory explicitly states that users must manually configure SSLParameters with 'HTTPS' to mitigate this, confirming that the default engine creation logic is the root cause. The function SslContext.newEngine is directly responsible for SSLEngine initialization in Netty, making it the primary vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-4586: Withdrawn Advisory: Netty-handler does not validate host names by default

Withdrawn Advisory

Original Description

CVE-2023-4586:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

5.3

5.3

Technical Details

Basic Information

Basic Information

CVE-2023-4586: Withdrawn Advisory: Netty-handler does not validate host names by default

Withdrawn Advisory

Original Description

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI