Invalid CVE-2022-41881 in inappropriate io.netty:* packages (!21374) · Merge requests · GitLab.org / security-products / advisory-database · GitLab

Craig Andrews requested to merge candrews/gemnasium-db:fix-CVE-2022-41881 into master Dec 22, 2022

The vulnerability is in io.netty.codec:codec-haproxy, not these packages:

io.netty:netty-codec-http
io.netty:netty-codec-http2
io.netty:netty-codec
io.netty:netty-handler
io.netty:netty

Note that this MR does not invalidate this CVE in the following packages:

io.netty:netty-all (because it bundles io.netty.codec:codec-haproxy)
io.netty:netty-codec-haproxy (because this package is the source of the vulnerability)

See: https://github.com/micrometer-metrics/micrometer/issues/3571#issuecomment-1360951723