CVE-2021-21295

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-21295
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21295.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-21295
Aliases
Downstream
Related
Published
2021-03-09T19:15:12Z
Modified
2025-09-19T12:26:39.787266Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest, HttpContent, etc.) via Http2StreamFrameToHttpObjectCodecand then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec or Http2FrameCodec is used, Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec.

References

Affected packages

Git / github.com/apache/kudu

Affected ranges

Type
GIT
Repo
https://github.com/apache/kudu
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5cd6779a073ce02e19a3794dd19657df6aeea86c
Type
GIT
Repo
https://github.com/netty/netty
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
89c241e3b1795ff257af4ad6eadc616cb2fb3dc4

Affected versions

netty-4.*

netty-4.0.0.Alpha1
netty-4.0.0.Alpha2
netty-4.0.0.Alpha3
netty-4.0.0.Alpha4
netty-4.0.0.Alpha5
netty-4.0.0.Alpha6
netty-4.0.0.Alpha7
netty-4.0.0.Alpha8
netty-4.0.0.Beta1
netty-4.0.0.Beta2
netty-4.0.0.Beta3
netty-4.0.0.CR1
netty-4.0.0.CR2
netty-4.0.0.CR3
netty-4.0.0.CR4
netty-4.0.0.CR5
netty-4.0.0.CR7
netty-4.0.0.CR8
netty-4.0.0.CR9
netty-4.0.0.Final
netty-4.0.1.Final
netty-4.0.10.Final
netty-4.0.11.Final
netty-4.0.12.Final
netty-4.0.13.Final
netty-4.0.14.Beta1
netty-4.0.14.Final
netty-4.0.15.Final
netty-4.0.2.Final
netty-4.0.3.Final
netty-4.0.4.Final
netty-4.0.5.Final
netty-4.0.6.Final
netty-4.0.7.Final
netty-4.0.8.Final
netty-4.1.0.Beta1
netty-4.1.0.Beta2
netty-4.1.0.Beta3
netty-4.1.0.Beta4
netty-4.1.0.Beta5
netty-4.1.0.Beta6
netty-4.1.0.Beta7
netty-4.1.0.Beta8
netty-4.1.0.CR1
netty-4.1.0.CR2
netty-4.1.0.CR3
netty-4.1.0.CR4
netty-4.1.0.CR5
netty-4.1.0.CR6
netty-4.1.0.CR7
netty-4.1.0.Final
netty-4.1.1.Final
netty-4.1.10.Final
netty-4.1.11.Final
netty-4.1.12.Final
netty-4.1.13.Final
netty-4.1.14.Final
netty-4.1.15.Final
netty-4.1.16.Final
netty-4.1.17.Final
netty-4.1.18.Final
netty-4.1.19.Final
netty-4.1.2.Final
netty-4.1.20.Final
netty-4.1.21.Final
netty-4.1.22.Final
netty-4.1.23.Final
netty-4.1.24.Final
netty-4.1.25.Final
netty-4.1.26.Final
netty-4.1.27.Final
netty-4.1.28.Final
netty-4.1.29.Final
netty-4.1.3.Final
netty-4.1.30.Final
netty-4.1.31.Final
netty-4.1.32.Final
netty-4.1.33.Final
netty-4.1.34.Final
netty-4.1.35.Final
netty-4.1.36.Final
netty-4.1.37.Final
netty-4.1.38.Final
netty-4.1.39.Final
netty-4.1.4.Final
netty-4.1.40.Final
netty-4.1.41.Final
netty-4.1.42.Final
netty-4.1.43.Final
netty-4.1.44.Final
netty-4.1.45.Final
netty-4.1.46.Final
netty-4.1.47.Final
netty-4.1.48.Final
netty-4.1.49.Final
netty-4.1.5.Final
netty-4.1.50.Final
netty-4.1.51.Final
netty-4.1.52.Final
netty-4.1.53.Final
netty-4.1.54.Final
netty-4.1.55.Final
netty-4.1.56.Final
netty-4.1.57.Final
netty-4.1.58.Final
netty-4.1.59.Final
netty-4.1.6.Final
netty-4.1.7.Final
netty-4.1.8.Final
netty-4.1.9.Final

Database specific 

{
    "vanir_signatures": [
        {
            "signature_type": "Function",
            "target": {
                "function": "setup",
                "file": "codec-http2/src/test/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoderTest.java"
            },
            "digest": {
                "function_hash": "163131827113553283573844942889829219890",
                "length": 3367.0
            },
            "id": "CVE-2021-21295-076b3ec5",
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"
        },
        {
            "signature_type": "Function",
            "target": {
                "function": "onDataRead",
                "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"
            },
            "digest": {
                "function_hash": "13121290283312984908769800193190709635",
                "length": 1776.0
            },
            "id": "CVE-2021-21295-216e269d",
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"
        },
        {
            "signature_type": "Function",
            "target": {
                "function": "onHeadersRead",
                "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"
            },
            "digest": {
                "function_hash": "128044597731365074561874345448063835682",
                "length": 1745.0
            },
            "id": "CVE-2021-21295-4eedce72",
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"
        },
        {
            "signature_type": "Line",
            "target": {
                "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"
            },
            "digest": {
                "line_hashes": [
                    "56801147450464915608998571466296945863",
                    "305787734193413226865597980471825739760",
                    "176320523147012450593030853993821327774",
                    "328234067401346632819186893881124413590",
                    "178909883660891606341138859683996519690",
                    "117473473298518506572612753114190829377",
                    "306524088069364581824744845396008845471",
                    "117657372999695485907251383292519926534",
                    "90095140119087404172067345192533290154",
                    "304205579781524715678478014827083073728",
                    "175791843801440861430177089523629387278",
                    "88545892492473711316712938769548881976",
                    "71410437774918518317867979898141400014",
                    "10479739303966359378562229528357192268",
                    "227908318583809173522812830450313273528",
                    "320253033835078425890951820027553641654",
                    "167637645316055634972802575172582973514",
                    "201699643622103271051135051452302913307",
                    "335659523283194323915172657828209262801",
                    "217680393614924871033195702334336205272",
                    "61315750306711228537583588486184248967",
                    "133900362357527303460237906110176880081",
                    "211645333342385333571813385344744813794",
                    "46219337575958502899013754661525049534",
                    "124269086603415208659607819358758503214",
                    "330004896875272548683785211390276273849",
                    "223894373512718001275955688513063374981",
                    "104709013446280129249792480036482959307",
                    "63277730938516402947096361918302154010",
                    "326818812999830356969684829816190328475",
                    "235303252092448803718369134685771971368",
                    "102113664438365445319651651762671979029",
                    "238884840896936821260275221957201547135",
                    "50929174104698332345549418113424668182",
                    "297831061452507531023591738340990418765",
                    "305581139940413303909949211743152590001",
                    "272289468428134422709572328812929650679",
                    "18240670485617348217017990696544482939",
                    "5161616558033022922717277269623311214",
                    "19962446268599148731404030178213257047"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2021-21295-a76263b7",
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"
        },
        {
            "signature_type": "Function",
            "target": {
                "function": "readHeaders",
                "file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"
            },
            "digest": {
                "function_hash": "136039075965439866115078610044858331213",
                "length": 2005.0
            },
            "id": "CVE-2021-21295-a9c4ad9d",
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"
        },
        {
            "signature_type": "Function",
            "target": {
                "function": "DefaultHttp2ConnectionDecoder",
                "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java"
            },
            "digest": {
                "function_hash": "9084650937557526153332955569107186263",
                "length": 762.0
            },
            "id": "CVE-2021-21295-aba17309",
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"
        },
        {
            "signature_type": "Line",
            "target": {
                "file": "codec-http2/src/test/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoderTest.java"
            },
            "digest": {
                "line_hashes": [
                    "126344892869594928014044763305123625331",
                    "87074137958240970938389127507030116076",
                    "190907003409725621268836162597533271784",
                    "16349625658632855229629297345956181671",
                    "263391697929191456185666087747494324715",
                    "336916350501142639771636661717585389262",
                    "302205978192499199118830293330389027250",
                    "123925897227127822382557495418897418418",
                    "69894908558659461431779000122533191348",
                    "3853748565542205885409537983304468450",
                    "39395700946577790170576037310444002434",
                    "306197664328722483981957097939818245176",
                    "293149647761448423733898173348094430012",
                    "26260724055893472957663343342004780214",
                    "148560416443248551818340986676877237494",
                    "68285722545211170465444984656998271118",
                    "166465438176436264342148049123294004266",
                    "316545207810442875339905924506419806583",
                    "62964032188391783466358178842237132936",
                    "281598869966825558931979861765142415609",
                    "325023474999970616961394501424910823943"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2021-21295-dca6c806",
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"
        },
        {
            "signature_type": "Line",
            "target": {
                "file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"
            },
            "digest": {
                "line_hashes": [
                    "164397687793919126235382670453790406125",
                    "145113729578345138538789037881964768050",
                    "245439652996296190444180521130132207242",
                    "213414524208182422546049020380734385626",
                    "254962056978756764886241622967337234349",
                    "310352253922811771755203309566863156039",
                    "317942778590860116440094703626850807135",
                    "14291648473826393899311187209913117543",
                    "64031734714818190934801921273335133522",
                    "291122773435198562375316743309903221812",
                    "251844405650014314219319891077685940750",
                    "170408057795286915143819984119014287317",
                    "142864601630603117362517797545603901407",
                    "275853528944319188776588937526294529797",
                    "214785981059220793922361684158690628085",
                    "151900491808285659094273936863652390687",
                    "65528626281378921832933716922633210756",
                    "264779714317578818787512444478284950345",
                    "214482292268366476038742898540697200546",
                    "184265540816685878914732024960009028313",
                    "104050348910002138347870741001997459839",
                    "214159995791178535385466432015784882617",
                    "67629897710851728596128133578550349496",
                    "70518487440308753413412217038549562636",
                    "205518209126584430943038427760694954857",
                    "1701292401270369422684318588660195476",
                    "61446602767138634013576343845334059744",
                    "330401013916243809353447802369666586028",
                    "70752595030837459442815352221321875452",
                    "12416604800241386987751795228893204740",
                    "42871084117433635731663370747703421593",
                    "146667816185960961753749311893918699035"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2021-21295-e06a9d85",
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"
        },
        {
            "signature_type": "Line",
            "target": {
                "file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpUtil.java"
            },
            "digest": {
                "line_hashes": [
                    "260905483037379100448616532127950713170",
                    "155881490674833820368238073283249505901",
                    "245912528762103197135989277749650384584",
                    "249085615949756701494769549826034618887",
                    "203156711581673838062272706559020996798",
                    "130117003699404404611541727559836666176",
                    "14919518235588270136619744552154121517",
                    "312811872835529731788902708862002934525",
                    "292991496705391134366628779717611022012",
                    "312649191103442262961422826374096300794",
                    "237207830113709018856736220745747906307",
                    "279379860327261942888738829983651561825"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2021-21295-f8c8dec9",
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"
        }
    ]
}