Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
{
"unresolved_ranges": [
{
"vendor_product": "debian:debian_linux",
"source": "CPE_STRING",
"cpes": [
"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "8.0"
},
{
"last_affected": "8.0"
},
{
"introduced": "9.0"
},
{
"last_affected": "9.0"
},
{
"introduced": "10.0"
},
{
"last_affected": "10.0"
}
]
},
{
"source": "CPE_STRING",
"vendor_product": "fedoraproject:fedora",
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "33"
},
{
"last_affected": "33"
}
]
},
{
"source": "CPE_STRING",
"vendor_product": "redhat:jboss_enterprise_application_platform",
"cpes": [
"cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
"cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
"cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "7.2"
},
{
"last_affected": "7.2"
},
{
"introduced": "7.3"
},
{
"last_affected": "7.3"
},
{
"introduced": "7.4"
},
{
"last_affected": "7.4"
}
]
}
]
}