CVE-2019-20444HTTP Request Smuggling in Netty

CWE-444HTTP Request Smuggling15 documents8 sources
Severity
9.1CRITICALNVD
OSV7.5
EPSS
14.9%
top 5.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
NettyCanonical Ubuntu LinuxDebian Linux+3 more
Timeline
PublishedJan 29
Latest updateOct 27

Description

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages5 packages

NVDnetty/netty< 4.1.44
Debiannetty/netty< 1:4.1.45-1+3
Ubuntunetty/netty< 1:4.1.7-4ubuntu0.1

Also affects: Debian Linux 10.0, 8.0, 9.0, Fedora 33, Ubuntu Linux 18.04

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

7
OSV
netty vulnerabilities2020-10-27
OSV
netty-3.9 vulnerabilities2020-10-22
OSV
netty-3.9 vulnerabilities2020-09-22
GHSA
HTTP Request Smuggling in Netty2020-02-21
OSV
HTTP Request Smuggling in Netty2020-02-21

📋Vendor Advisories

5
Ubuntu
Netty vulnerabilities2020-10-27
Ubuntu
Netty vulnerabilities2020-10-22
Ubuntu
Netty vulnerabilities2020-09-22
Red Hat
netty: HTTP request smuggling2020-01-29
Debian
CVE-2019-20444: netty - HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a...2019

💬Community

2
Bugzilla
CVE-2019-20444 netty: HTTP request smuggling2020-02-05
Bugzilla
CVE-2019-20444 netty: HTTP request smuggling [fedora-all]2020-02-05
CVE-2019-20444 — HTTP Request Smuggling in Netty | cvebase