CVE-2021-43797HTTP Request Smuggling in Netty

CWE-444HTTP Request Smuggling11 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.4%
top 40.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
16
NettyQuarkusDebian Linux+13 more
Timeline
PublishedDec 9
Latest updateApr 28

Description

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote syste

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages17 packages

NVDnetty/netty< 4.1.71
Debiannetty/netty< 1:4.1.48-4+deb11u1+3
CVEListV5netty/netty4.1.7.0.Final

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: github.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
CVE-2021-43797: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients2021-12-09
CVEList
HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling2021-12-09
GHSA
HTTP request smuggling in netty2021-12-09
OSV
HTTP request smuggling in netty2021-12-09

📋Vendor Advisories

6
Ubuntu
Netty vulnerabilities2023-04-28
Oracle
Oracle Oracle Communications Applications Risk Matrix: Security (Netty) — CVE-2021-437972023-01-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: PSR Designer (Netty) — CVE-2021-437972022-07-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: ISC (Netty) — CVE-2021-437972022-04-15
Red Hat
netty: control chars in header names may lead to HTTP request smuggling2021-12-09