-
-
Notifications
You must be signed in to change notification settings - Fork 15.9k
-
-
Notifications
You must be signed in to change notification settings - Fork 15.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability: Man-in-the-Middle (MitM) #10806
Comments
is there a possible future fix for this vulnerability issue? |
Yes as stated we will change this in netty 5. |
2 tasks
This was referenced May 17, 2021
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Dec 27, 2021
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Oct 19, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected behavior
Actual behavior
netty-handler is vulnerable to man-in-the-middle attacks. The library uses an SSLEngine that does not verify certificate hostnames when establishing connections with clients by default. This allows an attacker to potentially intercept and modify network traffic in a successful man-in-the-middle attack.
Steps to reproduce
Minimal yet complete reproducer code (or URL to code)
Netty version
Latest version still has this vulnerability
JVM version (e.g.
java -version
)OS version (e.g.
uname -a
)The text was updated successfully, but these errors were encountered: