{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-50010", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-02T22:46:02.578Z", "datePublished": "2026-06-12T14:50:43.151Z", "dateUpdated": "2026-06-12T16:39:07.045Z"}, "containers": {"cna": {"title": "Netty's wrapping plain trust manager silently disables hostname verification", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9"}, {"name": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final", "tags": ["x_refsource_MISC"], "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"}, {"name": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final", "tags": ["x_refsource_MISC"], "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"version": ">= 4.2.0.Final, < 4.2.15.Final", "status": "affected"}, {"version": "< 4.1.135.Final", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-12T14:50:43.151Z"}, "descriptions": [{"lang": "en", "value": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm=\"HTTPS\" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue."}], "source": {"advisory": "GHSA-c653-97m9-rcg9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-12T16:38:52.451711Z", "id": "CVE-2026-50010", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-12T16:39:07.045Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-50010", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-12T16:38:52.451711Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-12T16:39:00.710Z"}}], "cna": {"title": "Netty's wrapping plain trust manager silently disables hostname verification", "source": {"advisory": "GHSA-c653-97m9-rcg9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"status": "affected", "version": ">= 4.2.0.Final, < 4.2.15.Final"}, {"status": "affected", "version": "< 4.1.135.Final"}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9", "name": "https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final", "name": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final", "name": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm=\"HTTPS\" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-12T14:50:43.151Z"}}}, "cveMetadata": {"cveId": "CVE-2026-50010", "state": "PUBLISHED", "dateUpdated": "2026-06-12T16:39:07.045Z", "dateReserved": "2026-06-02T22:46:02.578Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-12T14:50:43.151Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "matchCriteriaId": "3097D962-A32D-4467-AAE7-F4CBA3A349D2", "versionEndExcluding": "4.1.135", "vulnerable": true}, {"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "matchCriteriaId": "413D4611-A46C-4BE4-AB2F-D86282F65984", "versionEndExcluding": "4.2.15", "versionStartIncluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm=\"HTTPS\" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue."}], "id": "CVE-2026-50010", "lastModified": "2026-06-15T02:31:50.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-06-12T16:16:31.180", "references": [{"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "netty-handler: Netty: Improper trust manager handling leads to hostname verification bypass", "id": "2488429", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488429"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-347", "details": ["Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm=\"HTTPS\" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.", "A flaw was found in Netty, a network application framework. This vulnerability allows a remote attacker to bypass hostname verification due to improper handling of user-supplied trust managers. When a client is configured with a plain X.509 Trust Manager (X509TrustManager), it fails to perform necessary hostname checks, enabling an attacker to impersonate a legitimate server. This could lead to sensitive information disclosure or man-in-the-middle attacks."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-50010", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-ekb-dispatcher-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-ekb-receiver-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Red Hat AMQ Clients"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:debezium:3", "fix_state": "Will not fix", "package_name": "netty-handler", "product_name": "Red Hat build of Debezium 3"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "rhbk/keycloak-rhel9", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "rhbk/keycloak-rhel9-operator", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "rhbk-openshift-rhel9/rhbk-openshift-rhel9", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "rhbk-rhel9-operator/rhbk-rhel9-operator", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "bazel6", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "bazel7", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "bazel8", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:offline_knowledge_portal:1", "fix_state": "Affected", "package_name": "offline-knowledge-portal/rhokp-rhel9", "product_name": "Red Hat Offline Knowledge Portal"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-modelmesh-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-spark-operator-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-th06-cpu-torch210-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-th06-cpu-torch291-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-th06-cuda130-torch210-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-th06-cuda130-torch291-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-th06-rocm64-torch291-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-trustyai-service-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/jetbrains-ide-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/multicluster-redirector-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Not affected", "package_name": "devspaces/server-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "candlepin", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite:el8/candlepin", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Affected", "package_name": "netty-handler", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-06-12T14:50:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-50010\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-50010\nhttps://github.com/netty/netty/releases/tag/netty-4.1.135.Final\nhttps://github.com/netty/netty/releases/tag/netty-4.2.15.Final\nhttps://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9"], "statement": "This is an Important flaw in Netty that affects Red Hat products utilizing the `netty-handler` component, including various Red Hat AMQ, Enterprise Application Platform, and OpenShift offerings. The vulnerability arises when a Netty client is configured with a plain X.509 Trust Manager, leading to a bypass of hostname verification. This oversight allows a remote attacker to perform man-in-the-middle attacks by impersonating a legitimate server, potentially compromising sensitive data.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.2.0.Final,4.2.15.Final)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.1.135.Final)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "netty", "source": "cna", "vendor": "netty"}, "product": "netty", "vendor": "netty"}], "created": "2026-06-12T16:30:13.786697+00:00", "updated": "2026-06-12T16:30:14.101142+00:00", "vendors": ["netty", "netty$PRODUCT$netty"]}