Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA5NzktNG1mdy01M3Zn

HTTP Request Smuggling in Netty

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

Permalink: https://github.com/advisories/GHSA-p979-4mfw-53vg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA5NzktNG1mdy01M3Zn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 5 years ago
Updated: 6 months ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-p979-4mfw-53vg, CVE-2019-16869
References: Repository: https://github.com/netty/netty
Blast Radius: 34.0

Affected Packages

maven:io.netty:netty-all
Dependent packages: 2,721
Dependent repositories: 33,811
Downloads:
Affected Version Ranges: >= 4.0.0.Alpha1, < 4.1.42.Final
Fixed in: 4.1.42.Final
All affected versions: 4.1.4-0.Final, 4.1.4-1.Final
All unaffected versions:
maven:org.jboss.netty:netty
Dependent packages: 324
Dependent repositories: 1,820
Downloads:
Affected Version Ranges: < 4.0.0
No known fixed version
All affected versions: