Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
07 Nov 2023, 03:30
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2021-03-30 15:15
Updated : 2024-02-28 18:28
NVD link : CVE-2021-21409
Mitre link : CVE-2021-21409
CVE.ORG link : CVE-2021-21409
JSON object : View
Products Affected
netapp
- oncommand_api_services
- oncommand_workflow_automation
debian
- debian_linux
oracle
- communications_messaging_server
- banking_credit_facilities_process_management
- communications_brm_-_elastic_charging_engine
- jd_edwards_enterpriseone_tools
- coherence
- helidon
- primavera_gateway
- communications_design_studio
- nosql_database
- communications_cloud_native_core_console
- communications_cloud_native_core_policy
- banking_trade_finance_process_management
- banking_corporate_lending_process_management
quarkus
- quarkus
netty
- netty
CWE
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')