CVE-2021-43797

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-43797

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43797.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-43797

Aliases

GHSA-wx5j-54mm-rqqq

Related

Published

2021-12-09T19:15:07Z

Modified

2024-09-11T04:51:16.707075Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

References

Affected packages

Debian:11 / netty

Package

Name: netty
Purl: pkg:deb/debian/netty?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:4.1.48-4+deb11u1

Affected versions

1:4.*

1:4.1.48-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / netty

Package

Name: netty
Purl: pkg:deb/debian/netty?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:4.1.48-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / netty

Package

Name: netty
Purl: pkg:deb/debian/netty?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:4.1.48-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/netty/netty

Affected ranges

Type: GIT
Repo: https://github.com/netty/netty
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

07aa6b5938a8b6ed7a6586e066400e2643897323

Type: GIT
Repo: https://github.com/oracle/helidon
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4a757131019b969d91a6eeeda9da2e4063e0e107

Type: GIT
Repo: https://github.com/quarkusio/quarkus
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6d6e2d99804875e216fb4a5caca01e5e901a9a07

Affected versions

netty-4.*

netty-4.0.0.Alpha1

netty-4.0.0.Alpha2

netty-4.0.0.Alpha3

netty-4.0.0.Alpha4

netty-4.0.0.Alpha5

netty-4.0.0.Alpha6

netty-4.0.0.Alpha7

netty-4.0.0.Alpha8

netty-4.0.0.Beta1

netty-4.0.0.Beta2

netty-4.0.0.Beta3

netty-4.0.0.CR1

netty-4.0.0.CR2

netty-4.0.0.CR3

netty-4.0.0.CR4

netty-4.0.0.CR5

netty-4.0.0.CR7

netty-4.0.0.CR8

netty-4.0.0.CR9

netty-4.0.0.Final

netty-4.0.1.Final

netty-4.0.10.Final

netty-4.0.11.Final

netty-4.0.12.Final

netty-4.0.13.Final

netty-4.0.14.Beta1

netty-4.0.14.Final

netty-4.0.15.Final

netty-4.0.2.Final

netty-4.0.3.Final

netty-4.0.4.Final

netty-4.0.5.Final

netty-4.0.6.Final

netty-4.0.7.Final

netty-4.0.8.Final

netty-4.1.0.Beta1

netty-4.1.0.Beta2

netty-4.1.0.Beta3

netty-4.1.0.Beta4

netty-4.1.0.Beta5

netty-4.1.0.Beta6

netty-4.1.0.Beta7

netty-4.1.0.Beta8

netty-4.1.0.CR1

netty-4.1.0.CR2

netty-4.1.0.CR3

netty-4.1.0.CR4

netty-4.1.0.CR5

netty-4.1.0.CR6

netty-4.1.0.CR7

netty-4.1.0.Final

netty-4.1.1.Final

netty-4.1.10.Final

netty-4.1.11.Final

netty-4.1.12.Final

netty-4.1.13.Final

netty-4.1.14.Final

netty-4.1.15.Final

netty-4.1.16.Final

netty-4.1.17.Final

netty-4.1.18.Final

netty-4.1.19.Final

netty-4.1.2.Final

netty-4.1.20.Final

netty-4.1.21.Final

netty-4.1.22.Final

netty-4.1.23.Final

netty-4.1.24.Final

netty-4.1.25.Final

netty-4.1.26.Final

netty-4.1.27.Final

netty-4.1.28.Final

netty-4.1.29.Final

netty-4.1.3.Final

netty-4.1.30.Final

netty-4.1.31.Final

netty-4.1.32.Final

netty-4.1.33.Final

netty-4.1.34.Final

netty-4.1.35.Final

netty-4.1.36.Final

netty-4.1.37.Final

netty-4.1.38.Final

netty-4.1.39.Final

netty-4.1.4.Final

netty-4.1.40.Final

netty-4.1.41.Final

netty-4.1.42.Final

netty-4.1.43.Final

netty-4.1.44.Final

netty-4.1.45.Final

netty-4.1.46.Final

netty-4.1.47.Final

netty-4.1.48.Final

netty-4.1.49.Final

netty-4.1.5.Final

netty-4.1.50.Final

netty-4.1.51.Final

netty-4.1.52.Final

netty-4.1.53.Final

netty-4.1.54.Final

netty-4.1.55.Final

netty-4.1.56.Final

netty-4.1.57.Final

netty-4.1.58.Final

netty-4.1.59.Final

netty-4.1.6.Final

netty-4.1.60.Final

netty-4.1.61.Final

netty-4.1.62.Final

netty-4.1.63.Final

netty-4.1.64.Final

netty-4.1.65.Final

netty-4.1.66.Final

netty-4.1.67.Final

netty-4.1.68.Final

netty-4.1.69.Final

netty-4.1.7.Final

netty-4.1.70.Final

netty-4.1.8.Final

netty-4.1.9.Final