Описание
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | end of standard support, was needs-triage |
| devel | released | 4.1.48-4 |
| esm-apps/bionic | released | 1:4.1.7-4ubuntu0.1+esm2 |
| esm-apps/focal | released | 1:4.1.45-1ubuntu0.1~esm1 |
| esm-apps/jammy | released | 1:4.1.48-4+deb11u1build0.22.04.1 |
| esm-apps/noble | released | 4.1.48-4 |
| esm-apps/xenial | released | 1:4.0.34-1ubuntu0.1~esm1 |
| esm-infra-legacy/trusty | needs-triage | |
| focal | ignored | end of standard support, was needed |
| groovy | ignored | end of life |
Показывать по
Ссылки на источники
EPSS
4.3 Medium
CVSS2
5.9 Medium
CVSS3
Связанные уязвимости
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
Netty is an open-source, asynchronous event-driven network application ...
Possible request smuggling in HTTP/2 due missing validation of content-length
EPSS
4.3 Medium
CVSS2
5.9 Medium
CVSS3