cbcvebase.
CVE-2019-20445
published 2020-01-29

CVE-2019-20445: HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding…

PriorityP355critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
13.47%
96.0th percentile
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

Affected

17 ranges
VendorProductVersion rangeFixed in
apachespark
apachespark
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
debiannetty< netty 1:4.1.45-1 (bookworm)netty 1:4.1.45-1 (bookworm)
fedoraprojectfedora
nettynetty< 4.1.444.1.44
nettynetty>= 0 < 1:4.1.45-11:4.1.45-1
nettynetty>= 0 < 1:4.1.45-11:4.1.45-1
nettynetty>= 0 < 1:4.1.45-11:4.1.45-1
nettynetty>= 0 < 1:4.1.45-11:4.1.45-1
nettynetty>= 0 < 1:4.1.7-4ubuntu0.11:4.1.7-4ubuntu0.1
redhatjboss_amq_clients
redhatjboss_enterprise_application_platform
redhatjboss_enterprise_application_platform

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.