CVE-2021-21295

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-21295
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21295.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-21295
Aliases
Downstream
Related
Published
2021-03-09T19:15:12Z
Modified
2025-11-03T04:11:14.150984Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest, HttpContent, etc.) via Http2StreamFrameToHttpObjectCodecand then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec or Http2FrameCodec is used, Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec.

References

Affected packages

Git / github.com/apache/kudu

Affected ranges

Type
GIT
Repo
https://github.com/apache/kudu
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5cd6779a073ce02e19a3794dd19657df6aeea86c

Git / github.com/netty/netty

Affected ranges

Type
GIT
Repo
https://github.com/netty/netty
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
89c241e3b1795ff257af4ad6eadc616cb2fb3dc4

Affected versions

netty-4.*

netty-4.0.0.Alpha1
netty-4.0.0.Alpha2
netty-4.0.0.Alpha3
netty-4.0.0.Alpha4
netty-4.0.0.Alpha5
netty-4.0.0.Alpha6
netty-4.0.0.Alpha7
netty-4.0.0.Alpha8
netty-4.0.0.Beta1
netty-4.0.0.Beta2
netty-4.0.0.Beta3
netty-4.0.0.CR1
netty-4.0.0.CR2
netty-4.0.0.CR3
netty-4.0.0.CR4
netty-4.0.0.CR5
netty-4.0.0.CR7
netty-4.0.0.CR8
netty-4.0.0.CR9
netty-4.0.0.Final
netty-4.0.1.Final
netty-4.0.10.Final
netty-4.0.11.Final
netty-4.0.12.Final
netty-4.0.13.Final
netty-4.0.14.Beta1
netty-4.0.14.Final
netty-4.0.15.Final
netty-4.0.2.Final
netty-4.0.3.Final
netty-4.0.4.Final
netty-4.0.5.Final
netty-4.0.6.Final
netty-4.0.7.Final
netty-4.0.8.Final
netty-4.1.0.Beta1
netty-4.1.0.Beta2
netty-4.1.0.Beta3
netty-4.1.0.Beta4
netty-4.1.0.Beta5
netty-4.1.0.Beta6
netty-4.1.0.Beta7
netty-4.1.0.Beta8
netty-4.1.0.CR1
netty-4.1.0.CR2
netty-4.1.0.CR3
netty-4.1.0.CR4
netty-4.1.0.CR5
netty-4.1.0.CR6
netty-4.1.0.CR7
netty-4.1.0.Final
netty-4.1.1.Final
netty-4.1.10.Final
netty-4.1.11.Final
netty-4.1.12.Final
netty-4.1.13.Final
netty-4.1.14.Final
netty-4.1.15.Final
netty-4.1.16.Final
netty-4.1.17.Final
netty-4.1.18.Final
netty-4.1.19.Final
netty-4.1.2.Final
netty-4.1.20.Final
netty-4.1.21.Final
netty-4.1.22.Final
netty-4.1.23.Final
netty-4.1.24.Final
netty-4.1.25.Final
netty-4.1.26.Final
netty-4.1.27.Final
netty-4.1.28.Final
netty-4.1.29.Final
netty-4.1.3.Final
netty-4.1.30.Final
netty-4.1.31.Final
netty-4.1.32.Final
netty-4.1.33.Final
netty-4.1.34.Final
netty-4.1.35.Final
netty-4.1.36.Final
netty-4.1.37.Final
netty-4.1.38.Final
netty-4.1.39.Final
netty-4.1.4.Final
netty-4.1.40.Final
netty-4.1.41.Final
netty-4.1.42.Final
netty-4.1.43.Final
netty-4.1.44.Final
netty-4.1.45.Final
netty-4.1.46.Final
netty-4.1.47.Final
netty-4.1.48.Final
netty-4.1.49.Final
netty-4.1.5.Final
netty-4.1.50.Final
netty-4.1.51.Final
netty-4.1.52.Final
netty-4.1.53.Final
netty-4.1.54.Final
netty-4.1.55.Final
netty-4.1.56.Final
netty-4.1.57.Final
netty-4.1.58.Final
netty-4.1.59.Final
netty-4.1.6.Final
netty-4.1.7.Final
netty-4.1.8.Final
netty-4.1.9.Final

Database specific

vanir_signatures

[
    {
        "digest": {
            "function_hash": "163131827113553283573844942889829219890",
            "length": 3367.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4",
        "id": "CVE-2021-21295-076b3ec5",
        "signature_version": "v1",
        "target": {
            "function": "setup",
            "file": "codec-http2/src/test/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoderTest.java"
        }
    },
    {
        "digest": {
            "function_hash": "13121290283312984908769800193190709635",
            "length": 1776.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4",
        "id": "CVE-2021-21295-216e269d",
        "signature_version": "v1",
        "target": {
            "function": "onDataRead",
            "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"
        }
    },
    {
        "digest": {
            "function_hash": "128044597731365074561874345448063835682",
            "length": 1745.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4",
        "id": "CVE-2021-21295-4eedce72",
        "signature_version": "v1",
        "target": {
            "function": "onHeadersRead",
            "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"
        }
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "56801147450464915608998571466296945863",
                "305787734193413226865597980471825739760",
                "176320523147012450593030853993821327774",
                "328234067401346632819186893881124413590",
                "178909883660891606341138859683996519690",
                "117473473298518506572612753114190829377",
                "306524088069364581824744845396008845471",
                "117657372999695485907251383292519926534",
                "90095140119087404172067345192533290154",
                "304205579781524715678478014827083073728",
                "175791843801440861430177089523629387278",
                "88545892492473711316712938769548881976",
                "71410437774918518317867979898141400014",
                "10479739303966359378562229528357192268",
                "227908318583809173522812830450313273528",
                "320253033835078425890951820027553641654",
                "167637645316055634972802575172582973514",
                "201699643622103271051135051452302913307",
                "335659523283194323915172657828209262801",
                "217680393614924871033195702334336205272",
                "61315750306711228537583588486184248967",
                "133900362357527303460237906110176880081",
                "211645333342385333571813385344744813794",
                "46219337575958502899013754661525049534",
                "124269086603415208659607819358758503214",
                "330004896875272548683785211390276273849",
                "223894373512718001275955688513063374981",
                "104709013446280129249792480036482959307",
                "63277730938516402947096361918302154010",
                "326818812999830356969684829816190328475",
                "235303252092448803718369134685771971368",
                "102113664438365445319651651762671979029",
                "238884840896936821260275221957201547135",
                "50929174104698332345549418113424668182",
                "297831061452507531023591738340990418765",
                "305581139940413303909949211743152590001",
                "272289468428134422709572328812929650679",
                "18240670485617348217017990696544482939",
                "5161616558033022922717277269623311214",
                "19962446268599148731404030178213257047"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4",
        "id": "CVE-2021-21295-a76263b7",
        "signature_version": "v1",
        "target": {
            "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"
        }
    },
    {
        "digest": {
            "function_hash": "136039075965439866115078610044858331213",
            "length": 2005.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4",
        "id": "CVE-2021-21295-a9c4ad9d",
        "signature_version": "v1",
        "target": {
            "function": "readHeaders",
            "file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"
        }
    },
    {
        "digest": {
            "function_hash": "9084650937557526153332955569107186263",
            "length": 762.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4",
        "id": "CVE-2021-21295-aba17309",
        "signature_version": "v1",
        "target": {
            "function": "DefaultHttp2ConnectionDecoder",
            "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"
        }
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "126344892869594928014044763305123625331",
                "87074137958240970938389127507030116076",
                "190907003409725621268836162597533271784",
                "16349625658632855229629297345956181671",
                "263391697929191456185666087747494324715",
                "336916350501142639771636661717585389262",
                "302205978192499199118830293330389027250",
                "123925897227127822382557495418897418418",
                "69894908558659461431779000122533191348",
                "3853748565542205885409537983304468450",
                "39395700946577790170576037310444002434",
                "306197664328722483981957097939818245176",
                "293149647761448423733898173348094430012",
                "26260724055893472957663343342004780214",
                "148560416443248551818340986676877237494",
                "68285722545211170465444984656998271118",
                "166465438176436264342148049123294004266",
                "316545207810442875339905924506419806583",
                "62964032188391783466358178842237132936",
                "281598869966825558931979861765142415609",
                "325023474999970616961394501424910823943"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4",
        "id": "CVE-2021-21295-dca6c806",
        "signature_version": "v1",
        "target": {
            "file": "codec-http2/src/test/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoderTest.java"
        }
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "164397687793919126235382670453790406125",
                "145113729578345138538789037881964768050",
                "245439652996296190444180521130132207242",
                "213414524208182422546049020380734385626",
                "254962056978756764886241622967337234349",
                "310352253922811771755203309566863156039",
                "317942778590860116440094703626850807135",
                "14291648473826393899311187209913117543",
                "64031734714818190934801921273335133522",
                "291122773435198562375316743309903221812",
                "251844405650014314219319891077685940750",
                "170408057795286915143819984119014287317",
                "142864601630603117362517797545603901407",
                "275853528944319188776588937526294529797",
                "214785981059220793922361684158690628085",
                "151900491808285659094273936863652390687",
                "65528626281378921832933716922633210756",
                "264779714317578818787512444478284950345",
                "214482292268366476038742898540697200546",
                "184265540816685878914732024960009028313",
                "104050348910002138347870741001997459839",
                "214159995791178535385466432015784882617",
                "67629897710851728596128133578550349496",
                "70518487440308753413412217038549562636",
                "205518209126584430943038427760694954857",
                "1701292401270369422684318588660195476",
                "61446602767138634013576343845334059744",
                "330401013916243809353447802369666586028",
                "70752595030837459442815352221321875452",
                "12416604800241386987751795228893204740",
                "42871084117433635731663370747703421593",
                "146667816185960961753749311893918699035"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4",
        "id": "CVE-2021-21295-e06a9d85",
        "signature_version": "v1",
        "target": {
            "file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"
        }
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "260905483037379100448616532127950713170",
                "155881490674833820368238073283249505901",
                "245912528762103197135989277749650384584",
                "249085615949756701494769549826034618887",
                "203156711581673838062272706559020996798",
                "130117003699404404611541727559836666176",
                "14919518235588270136619744552154121517",
                "312811872835529731788902708862002934525",
                "292991496705391134366628779717611022012",
                "312649191103442262961422826374096300794",
                "237207830113709018856736220745747906307",
                "279379860327261942888738829983651561825"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4",
        "id": "CVE-2021-21295-f8c8dec9",
        "signature_version": "v1",
        "target": {
            "file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpUtil.java"
        }
    }
]