CVE-2021-21409
Published: 30 March 2021
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
Priority
Medium
CVSS 3 base score: 5.9
Status
| Package | Release | Status |
|---|---|---|
|
netty Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| groovy |
Ignored
(reached end-of-life)
|
|
| hirsute |
Ignored
(reached end-of-life)
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needs triage
|
|
| precise |
Does not exist
|
|
| trusty |
Needs triage
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support, was needs-triage)
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21409
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295
- https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
- https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
- https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
- NVD
- Launchpad
- Debian