CVE-2021-21409

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-21409
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21409.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-21409
Aliases
Downstream
Related
Published
2021-03-30T15:15:14.573Z
Modified
2026-05-13T04:03:28.907769297Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Database specific 
{
    "unresolved_ranges": [
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "14.2.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "14.3.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "14.5.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "14.2.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "14.3.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "14.5.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "14.2.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "14.3.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "14.5.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "12.2.1.4.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "14.1.1.0.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "12.0.0.3"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "1.14.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "7.4.2.0.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "8.1"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "fixed": "9.2.6.3"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "fixed": "21.1.12"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "introduced": "17.12.0"
                },
                {
                    "last_affected": "17.12.11"
                },
                {
                    "introduced": "18.8.0"
                },
                {
                    "last_affected": "18.8.11"
                },
                {
                    "introduced": "19.12.0"
                },
                {
                    "last_affected": "19.12.10"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "10.0"
                }
            ]
        }
    ]
}
References

Affected packages

Git
github.com/helidon-io/helidon

Affected ranges

Type
GIT
Repo
https://github.com/helidon-io/helidon
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
1c36ce7b6f19282361f30643ce7b973545cbdd67
Database specific 
{
    "source": "CPE_FIELD",
    "cpe": "cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.4.10"
        }
    ]
}

Affected versions

1.*
1.4.10

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21409.json"
github.com/netty/netty

Affected ranges

Type
GIT
Repo
https://github.com/netty/netty
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ccb3ff388f2eb0d107e746fc8b7222b98dd0339a
Database specific 
{
    "source": "CPE_FIELD",
    "cpe": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.1.61"
        }
    ]
}

Affected versions

netty-4.*
netty-4.0.0.Alpha1
netty-4.0.0.Alpha2
netty-4.0.0.Alpha3
netty-4.0.0.Alpha4
netty-4.0.0.Alpha5
netty-4.0.0.Alpha6
netty-4.0.0.Alpha7
netty-4.0.0.Alpha8
netty-4.0.0.Beta1
netty-4.0.0.Beta2
netty-4.0.0.Beta3
netty-4.0.0.CR1
netty-4.0.0.CR2
netty-4.0.0.CR3
netty-4.0.0.CR4
netty-4.0.0.CR5
netty-4.0.0.CR7
netty-4.0.0.CR8
netty-4.0.0.CR9
netty-4.0.0.Final
netty-4.0.1.Final
netty-4.0.10.Final
netty-4.0.11.Final
netty-4.0.12.Final
netty-4.0.13.Final
netty-4.0.14.Beta1
netty-4.0.14.Final
netty-4.0.15.Final
netty-4.0.2.Final
netty-4.0.3.Final
netty-4.0.4.Final
netty-4.0.5.Final
netty-4.0.6.Final
netty-4.0.7.Final
netty-4.0.8.Final
netty-4.1.0.Beta1
netty-4.1.0.Beta2
netty-4.1.0.Beta3
netty-4.1.0.Beta4
netty-4.1.0.Beta5
netty-4.1.0.Beta6
netty-4.1.0.Beta7
netty-4.1.0.Beta8
netty-4.1.0.CR1
netty-4.1.0.CR2
netty-4.1.0.CR3
netty-4.1.0.CR4
netty-4.1.0.CR5
netty-4.1.0.CR6
netty-4.1.0.CR7
netty-4.1.0.Final
netty-4.1.1.Final
netty-4.1.10.Final
netty-4.1.11.Final
netty-4.1.12.Final
netty-4.1.13.Final
netty-4.1.14.Final
netty-4.1.15.Final
netty-4.1.16.Final
netty-4.1.17.Final
netty-4.1.18.Final
netty-4.1.19.Final
netty-4.1.2.Final
netty-4.1.20.Final
netty-4.1.21.Final
netty-4.1.22.Final
netty-4.1.23.Final
netty-4.1.24.Final
netty-4.1.25.Final
netty-4.1.26.Final
netty-4.1.27.Final
netty-4.1.28.Final
netty-4.1.29.Final
netty-4.1.3.Final
netty-4.1.30.Final
netty-4.1.31.Final
netty-4.1.32.Final
netty-4.1.33.Final
netty-4.1.34.Final
netty-4.1.35.Final
netty-4.1.36.Final
netty-4.1.37.Final
netty-4.1.38.Final
netty-4.1.39.Final
netty-4.1.4.Final
netty-4.1.40.Final
netty-4.1.41.Final
netty-4.1.42.Final
netty-4.1.43.Final
netty-4.1.44.Final
netty-4.1.45.Final
netty-4.1.46.Final
netty-4.1.47.Final
netty-4.1.48.Final
netty-4.1.49.Final
netty-4.1.5.Final
netty-4.1.50.Final
netty-4.1.51.Final
netty-4.1.52.Final
netty-4.1.53.Final
netty-4.1.54.Final
netty-4.1.55.Final
netty-4.1.56.Final
netty-4.1.57.Final
netty-4.1.58.Final
netty-4.1.59.Final
netty-4.1.6.Final
netty-4.1.60.Final
netty-4.1.7.Final
netty-4.1.8.Final
netty-4.1.9.Final

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21409.json"
github.com/quarkusio/quarkus

Affected ranges

Type
GIT
Repo
https://github.com/quarkusio/quarkus
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
23590232e1cbfa38916951508719cd0ce5f0767e
Last affected
3e8eee41b901e9dcbdd82dc048e05ed0627ec859
Last affected
7bdb007f650a604f589eb44264b4df4800f697c0
Database specific 
{
    "source": "CPE_FIELD",
    "cpe": [
        "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.7.0"
        },
        {
            "last_affected": "2.4.0"
        },
        {
            "last_affected": "1.13.7"
        }
    ]
}

Affected versions

1.*
1.13.7.Final
1.7.0.Final
2.*
2.4.0.Final

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21409.json"