Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
{ "vanir_signatures": [ { "digest": { "function_hash": "18233425441436127750782009070532165344", "length": 721.0 }, "source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", "signature_type": "Function", "deprecated": false, "id": "CVE-2021-43797-06e8f123", "signature_version": "v1", "target": { "function": "splitHeader", "file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java" } }, { "digest": { "function_hash": "172481325208139734420814766658866698590", "length": 625.0 }, "source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", "signature_type": "Function", "deprecated": false, "id": "CVE-2021-43797-1a525c75", "signature_version": "v1", "target": { "function": "testContentLengthHeaderAndChunked", "file": "codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "309063670718511852852130624213590019128", "236028198603043349454850779406824610877", "270842797415329582936981774885370126028", "186080358750429610931052563775734784239", "226215294083256624125810313988307288511", "226227342066640177055081876388804373096", "138994542358011796466486833744208061858", "105230826901819499999452807477415866947", "334664931806984178562747170361686518977", "161248011630319998146678241255534469769", "261672280417367862732224899564577162249", "17628894065973736492298769263740826268", "103878262630415130004754967443765499734", "11026235238673042823005249559779410821", "166716581219736466294267342503528367140", "142448574484156466214458763293749879625", "60843268908281218031061033820250491848" ] }, "source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", "signature_type": "Line", "deprecated": false, "id": "CVE-2021-43797-26cc52ea", "signature_version": "v1", "target": { "file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java" } }, { "digest": { "function_hash": "269494387521881585452919491774019618154", "length": 425.0 }, "source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", "signature_type": "Function", "deprecated": false, "id": "CVE-2021-43797-4a51298f", "signature_version": "v1", "target": { "function": "validateHeaderNameElement", "file": "codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java" } }, { "digest": { "function_hash": "120389524553676198839368369664138070526", "length": 181.0 }, "source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", "signature_type": "Function", "deprecated": false, "id": "CVE-2021-43797-519021ec", "signature_version": "v1", "target": { "function": "testWhitespaceBeforeTransferEncoding01", "file": "codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "242725271108212257826686151719562831231", "277129886284590452125535259180690183607", "37624302477473825498411741862664336775", "228917488556910377238465181157986725774", "140034408903480898175462269668254395793", "68545724326011841925920210003172109296", "152338190554326077557988043637150582391", "228917488556910377238465181157986725774" ] }, "source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", "signature_type": "Line", "deprecated": false, "id": "CVE-2021-43797-51bcc4f8", "signature_version": "v1", "target": { "file": "codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java" } }, { "digest": { "function_hash": "78882820443181217366376297190537956095", "length": 255.0 }, "source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", "signature_type": "Function", "deprecated": false, "id": "CVE-2021-43797-6743f810", "signature_version": "v1", "target": { "function": "testWhitespaceBeforeTransferEncoding02", "file": "codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java" } }, { "digest": { "function_hash": "226325652847968273253557520703398600741", "length": 464.0 }, "source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", "signature_type": "Function", "deprecated": false, "id": "CVE-2021-43797-896c8431", "signature_version": "v1", "target": { "function": "findNonWhitespace", "file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java" } }, { "digest": { "function_hash": "143355351109797365878732174997598858949", "length": 350.0 }, "source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", "signature_type": "Function", "deprecated": false, "id": "CVE-2021-43797-89cf9790", "signature_version": "v1", "target": { "function": "testInvalidHeaders0", "file": "codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "293566301854528473193701345220748168838", "20493677530200135325719121561137500047", "82344960543321320024408399124961733412", "35637158797269933644520018473969402735", "305950220969642324533573865219745257664", "58081112648400015918910281176725437563", "179050730279709306629066176660033019123", "80143913047974372073414469457521783394", "134919843011996964607502088886550557098", "314471269814671764574450078684188688628", "145458788300236256083064394210482398959", "203505929758462516178032321139310340588", "315989757269814039419848914586085166430", "130910431073191905943905706865477642212", "295279021656024965261560235598398861142", "96053510847438498522627689639769355831", "41606000927528761739111858373969682165", "156109033474320444970105423142755047758", "337890363482822668905493818716498701024", "169870631923428948851627051058605385542", "89943439626233183666145654945487999257", "290012946538219556351694370753142870168", "320931445265113101257787127976293787177", "168085210419525997325080145804884642040", "180226531019266707085505012886586320307", "258175206180267023907493838535738061655", "50103203110654270618969763800831939362", "307126096742608635079049137510492356186", "235725288567037057814612777792344782235" ] }, "source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", "signature_type": "Line", "deprecated": false, "id": "CVE-2021-43797-bee6ba3d", "signature_version": "v1", "target": { "file": "codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "327084716185792067665855380440375424198", "280137859413748684000047352190436860807" ] }, "source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", "signature_type": "Line", "deprecated": false, "id": "CVE-2021-43797-ccd3136b", "signature_version": "v1", "target": { "file": "codec-http/src/test/java/io/netty/handler/codec/http/HttpResponseDecoderTest.java" } }, { "digest": { "function_hash": "270361193334713344899991966096587179287", "length": 423.0 }, "source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", "signature_type": "Function", "deprecated": false, "id": "CVE-2021-43797-ecaa030e", "signature_version": "v1", "target": { "function": "validateHeaderNameElement", "file": "codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java" } } ] }