Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13eDVqLTU0bW0tcnFxcc0ahg
HTTP request smuggling in netty
Impact
Netty currently just skips control chars when these are present at the beginning / end of the header name. We should better fail fast as these are not allowed by the spec and could lead to HTTP request smuggling.
Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore and so not do the validation itself.
Permalink: https://github.com/advisories/GHSA-wx5j-54mm-rqqqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13eDVqLTU0bW0tcnFxcc0ahg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 9 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Identifiers: GHSA-wx5j-54mm-rqqq, CVE-2021-43797
References:
- https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
- https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
- https://nvd.nist.gov/vuln/detail/CVE-2021-43797
- https://github.com/netty/netty/pull/11891
- https://security.netapp.com/advisory/ntap-20220107-0003/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
- https://www.debian.org/security/2023/dsa-5316
- https://github.com/advisories/GHSA-wx5j-54mm-rqqq
Blast Radius: 27.1
Affected Packages
maven:io.netty:netty
Dependent packages: 1,133Dependent repositories: 14,650
Downloads:
Affected Version Ranges: < 4.0.0
No known fixed version
All affected versions:
maven:org.jboss.netty:netty
Dependent packages: 324Dependent repositories: 1,820
Downloads:
Affected Version Ranges: < 4.0.0
No known fixed version
All affected versions:
maven:io.netty:netty-codec-http
Dependent packages: 1,324Dependent repositories: 6,505
Downloads:
Affected Version Ranges: >= 4.0.0, < 4.1.71.Final
Fixed in: 4.1.71.Final
All affected versions: 4.1.7-0.Final
All unaffected versions: