Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2021-21409

Опубликовано: 30 мар. 2021
Источник: nvd
CVSS3: 5.9
CVSS2: 4.3
EPSS Низкий

Описание

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
Версия до 4.1.61 (исключая)
Конфигурация 2
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Конфигурация 3

Одно из

cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
Конфигурация 4

Одно из

cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Версия до 9.2.6.3 (исключая)
cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*
Версия до 21.1.12 (исключая)
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Версия от 17.12.0 (включая) до 17.12.11 (включая)
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Версия от 18.8.0 (включая) до 18.8.11 (включая)
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Версия от 19.12.0 (включая) до 19.12.10 (включая)
Конфигурация 5
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
Версия до 1.13.7 (включая)

EPSS

Процентиль: 89%
0.05113
Низкий

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-444
CWE-444

Связанные уязвимости

ubuntu логотип

CVE-2021-21409

CVSS3: 5.9
ubuntu
около 4 лет назад

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

redhat логотип

CVE-2021-21409

CVSS3: 5.9
redhat
около 4 лет назад

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

debian логотип

CVE-2021-21409

CVSS3: 5.9
debian
около 4 лет назад

Netty is an open-source, asynchronous event-driven network application ...

suse-cvrf логотип

SUSE-SU-2022:1315-1

suse-cvrf
около 3 лет назад

Security update for netty

github логотип

GHSA-f256-j965-7f32

CVSS3: 5.9
github
около 4 лет назад

Possible request smuggling in HTTP/2 due missing validation of content-length

EPSS

Процентиль: 89%
0.05113
Низкий

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-444
CWE-444