CVE-2021-21295

CWE-444HTTP Request Smuggling11 documents8 sources
Severity
5.9MEDIUM
EPSS
0.4%
top 39.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Netty Io.netty:netty-codec-http2Netty NettyApache Kudu+4 more
Timeline
PublishedMar 9
Latest updateApr 28

Description

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTT

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages9 packages

Mavenio.netty:netty-codec-http24.0.04.1.60.Final
CVEListV5netty/io.netty:netty-codec-http2< 4.1.60.Final
CVEListV5netty/netty< 4.1.61.Final
NVDnetty/netty< 4.1.60
Debiannetty< 1:4.1.48-3+3

Also affects: Debian Linux 10.0

Patches

Patch: github.comPatch: github.comPatch: www.oracle.com

🔴Vulnerability Details

5
OSV
netty vulnerabilities2023-04-28
GHSA
Possible request smuggling in HTTP/2 due missing validation2021-03-09
OSV
CVE-2021-21295: Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol serve2021-03-09
CVEList
Possible request smuggling in HTTP/2 due missing validation2021-03-09
OSV
Possible request smuggling in HTTP/2 due missing validation2021-03-09

📋Vendor Advisories

5
Ubuntu
Netty vulnerabilities2023-04-28
Oracle
Oracle Oracle Communications Applications Risk Matrix: REST Service Manager (Netty) — CVE-2021-212952022-10-15
Red Hat
netty: Request smuggling via content-length header2021-03-30
Red Hat
netty: possible request smuggling in HTTP/2 due missing validation2021-03-09
Debian
CVE-2021-21295: netty - Netty is an open-source, asynchronous event-driven network application framework...2021
CVE-2021-21295 (MEDIUM CVSS 5.9) | Netty is an open-source | cvebase.io