...
| date | CVE | description | versions | Risk for Deltares Open Archive | JIRA | upgrade strategy |
|---|---|---|---|---|---|---|
| September 2025 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression. Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final. Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final. | This is triggered by the Netty components bundled with OpenSearch, which are not used in the context of the Delft-FEWS archive service as this uses OpenSearch internally and does not expose OpenSearch as a web service. | FEWS-33708 | False positive. | ||
| February 2025 | Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually. | This is triggered by the Netty components bundled with OpenSearch, which are not used in the context of the Delft-FEWS archive service as this uses OpenSearch internally and does not expose OpenSearch as a web service. | ||||
| November 2024 |
| OpenSearch Dashboards Security Plugin adds a configuration management UI for the OpenSearch Security features to OpenSearch Dashboards. Improper validation of the nextUrl parameter can lead to external redirect on login to OpenSearch-Dashboards for specially crafted parameters. A patch is available in 1.3.19 and 2.16.0 for this issue. OpenSearch Observability is collection of plugins and applications that visualize data-driven events. An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14. OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue. | False positive. These are all related to OpenSearch Dashboards and Tenants used by them. We do not use the dashboards. | FEWS-32203 | CVE will no longer be reported when version is upgraded to 2.16 but this can only be done when we move to Java 21 | |
| 2015 - 2022 | Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. | This is triggered by the Netty components bundled with OpenSearch, which are not used in the context of the Delft-FEWS archive service as this uses OpenSearch internally and does not expose OpenSearch as a web service. | ||||
| October 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | This is triggered by the Netty components bundled with OpenSearch, which are not used in the context of the Delft-FEWS archive service as this uses OpenSearch internally and does not expose OpenSearch as a web service. | ||||
| january 2020 | CVE-2019-20444 | HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." | up to 202301 | 202301 and higher have a fix which checks that headers have a colon. If not the request is rejected | FEWS-29351 | |
| december 20222 | CVE-2022-3064 | Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory. | up to 202301 | False positive. The only yaml file used is the yaml file for the config. This file is only accessible by admins. | FEWS-29357 |
Deltares archive server
| date | CVE | description | versions | Risk for Deltares Open Archive | JIRA | upgrade strategy |
|---|---|---|---|---|---|---|
January 2026 | CVE-2026-22184 |
This is a bug in a reference program demonstrating how to use zlib. This is not a problem in zlib itself.
| All | False positive |
| False positive, no action required | ||||||||
| July 2025 | CVE-2023-4770 | An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. This vulnerability consists in a DLL hijacking by replacing x64 shfolder.dll in the installation path, causing an arbitrary code execution. This warning suddenly appeared for no obvious reason as it did in the Adapters branch earlier, probably an error in the NIST database. | EA2024.02 only | False positive. Looks like a false warning coming from incibe.es ? | ||||||||
| April 2022 | CVE-2022-24785 | Included in primefaces-11.0.0.jar, moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js. | up to current | False positive. User provided local strings are not used. | FEWS-29358 | |||||||
| June 2022 | Included in primefaces-11.0.0.jar, moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input. | up to current | False positive. User cannot pass user defined string for date parsing. | |||||||||
| June 2022 | CVE-2020-7746 | chartjs.js is a JavaScript library which is included with primefaces 8.0 jar file and triggers a warning for this vulnerability. As the Archive Web UI is not using chartjs functionality this is considered a false positive and thers is no need to update primefaces in 2021.02 and older branches. | up to 2021.02 | False positive, the archive web interface does not use this functionality. |
Apache Tomcat CVE score Critical and High
...