CVE-2020-7238

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
References
Link Resource
https://access.redhat.com/errata/RHSA-2020:0497 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0567 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0601 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0605 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0606 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0804 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0805 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0806 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0811 Third Party Advisory
https://github.com/jdordonezn/CVE-2020-72381/issues/1 Exploit Third Party Advisory
https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05%40%3Ccommits.cassandra.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/
https://netty.io/news/ Vendor Advisory
https://www.debian.org/security/2021/dsa-4885 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:netty:netty:4.1.43:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform_text-only_advisories:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_application_runtimes_text-only_advisories:-:*:*:*:*:*:*:*

History

07 Nov 2023, 03:25

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7@%3Ccommits.cassandra.apache.org%3E', 'name': '[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05@%3Ccommits.cassandra.apache.org%3E', 'name': '[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/', 'name': 'FEDORA-2020-66b5f85ccc', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/ -
  • () https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7%40%3Ccommits.cassandra.apache.org%3E -
  • () https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05%40%3Ccommits.cassandra.apache.org%3E -

Information

Published : 2020-01-27 17:15

Updated : 2024-02-28 17:28


NVD link : CVE-2020-7238

Mitre link : CVE-2020-7238

CVE.ORG link : CVE-2020-7238


JSON object : View

Products Affected

netty

  • netty

redhat

  • jboss_enterprise_application_platform_text-only_advisories
  • openshift_application_runtimes_text-only_advisories
  • jboss_enterprise_application_platform

debian

  • debian_linux

fedoraproject

  • fedora
CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')