CVE-2020-7238

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

References

Affected packages

Git / github.com/netty/netty

Affected ranges

Type

GIT

Repo

https://github.com/netty/netty

Events

Introduced

Last affected

d066f163d7476a4a332f95d4dc62af751378f536

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.1.43"
        }
    ]
}

Affected versions

netty-4.*

netty-4.0.0.Alpha1

netty-4.0.0.Alpha2

netty-4.0.0.Alpha3

netty-4.0.0.Alpha4

netty-4.0.0.Alpha5

netty-4.0.0.Alpha6

netty-4.0.0.Alpha7

netty-4.0.0.Alpha8

netty-4.0.0.Beta1

netty-4.0.0.Beta2

netty-4.0.0.Beta3

netty-4.0.0.CR1

netty-4.0.0.CR2

netty-4.0.0.CR3

netty-4.0.0.CR4

netty-4.0.0.CR5

netty-4.0.0.CR7

netty-4.0.0.CR8

netty-4.0.0.CR9

netty-4.0.0.Final

netty-4.0.1.Final

netty-4.0.10.Final

netty-4.0.11.Final

netty-4.0.12.Final

netty-4.0.13.Final

netty-4.0.14.Beta1

netty-4.0.14.Final

netty-4.0.15.Final

netty-4.0.2.Final

netty-4.0.3.Final

netty-4.0.4.Final

netty-4.0.5.Final

netty-4.0.6.Final

netty-4.0.7.Final

netty-4.0.8.Final

netty-4.1.0.Beta1

netty-4.1.0.Beta2

netty-4.1.0.Beta3

netty-4.1.0.Beta4

netty-4.1.0.Beta5

netty-4.1.0.Beta6

netty-4.1.0.Beta7

netty-4.1.0.Beta8

netty-4.1.0.CR1

netty-4.1.0.CR2

netty-4.1.0.CR3

netty-4.1.0.CR4

netty-4.1.0.CR5

netty-4.1.0.CR6

netty-4.1.0.CR7

netty-4.1.0.Final

netty-4.1.1.Final

netty-4.1.10.Final

netty-4.1.11.Final

netty-4.1.12.Final

netty-4.1.13.Final

netty-4.1.14.Final

netty-4.1.15.Final

netty-4.1.16.Final

netty-4.1.17.Final

netty-4.1.18.Final

netty-4.1.19.Final

netty-4.1.2.Final

netty-4.1.20.Final

netty-4.1.21.Final

netty-4.1.22.Final

netty-4.1.23.Final

netty-4.1.24.Final

netty-4.1.25.Final

netty-4.1.26.Final

netty-4.1.27.Final

netty-4.1.28.Final

netty-4.1.29.Final

netty-4.1.3.Final

netty-4.1.30.Final

netty-4.1.31.Final

netty-4.1.32.Final

netty-4.1.33.Final

netty-4.1.34.Final

netty-4.1.35.Final

netty-4.1.36.Final

netty-4.1.37.Final

netty-4.1.38.Final

netty-4.1.39.Final

netty-4.1.4.Final

netty-4.1.40.Final

netty-4.1.41.Final

netty-4.1.42.Final

netty-4.1.43.Final

netty-4.1.5.Final

netty-4.1.6.Final

netty-4.1.7.Final

netty-4.1.8.Final

netty-4.1.9.Final

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "33"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.4"
            }
        ]
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7238.json"