CVE-2021-43797
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-43797
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43797.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-43797
- Aliases
- Downstream
- Related
- Published
- 2021-12-09T19:15:07Z
- Modified
- 2025-10-29T00:11:08.695383Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
- References
-
- https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
- https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
- https://security.netapp.com/advisory/ntap-20220107-0003/
- https://www.debian.org/security/2023/dsa-5316
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Affected packages
Git / github.com/netty/netty
Affected ranges
- Type
- GIT
- Repo
- https://github.com/netty/netty
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
netty-4.*
netty-4.0.0.Alpha1
netty-4.0.0.Alpha2
netty-4.0.0.Alpha3
netty-4.0.0.Alpha4
netty-4.0.0.Alpha5
netty-4.0.0.Alpha6
netty-4.0.0.Alpha7
netty-4.0.0.Alpha8
netty-4.0.0.Beta1
netty-4.0.0.Beta2
netty-4.0.0.Beta3
netty-4.0.0.CR1
netty-4.0.0.CR2
netty-4.0.0.CR3
netty-4.0.0.CR4
netty-4.0.0.CR5
netty-4.0.0.CR7
netty-4.0.0.CR8
netty-4.0.0.CR9
netty-4.0.0.Final
netty-4.0.1.Final
netty-4.0.10.Final
netty-4.0.11.Final
netty-4.0.12.Final
netty-4.0.13.Final
netty-4.0.14.Beta1
netty-4.0.14.Final
netty-4.0.15.Final
netty-4.0.2.Final
netty-4.0.3.Final
netty-4.0.4.Final
netty-4.0.5.Final
netty-4.0.6.Final
netty-4.0.7.Final
netty-4.0.8.Final
netty-4.1.0.Beta1
netty-4.1.0.Beta2
netty-4.1.0.Beta3
netty-4.1.0.Beta4
netty-4.1.0.Beta5
netty-4.1.0.Beta6
netty-4.1.0.Beta7
netty-4.1.0.Beta8
netty-4.1.0.CR1
netty-4.1.0.CR2
netty-4.1.0.CR3
netty-4.1.0.CR4
netty-4.1.0.CR5
netty-4.1.0.CR6
netty-4.1.0.CR7
netty-4.1.0.Final
netty-4.1.1.Final
netty-4.1.10.Final
netty-4.1.11.Final
netty-4.1.12.Final
netty-4.1.13.Final
netty-4.1.14.Final
netty-4.1.15.Final
netty-4.1.16.Final
netty-4.1.17.Final
netty-4.1.18.Final
netty-4.1.19.Final
netty-4.1.2.Final
netty-4.1.20.Final
netty-4.1.21.Final
netty-4.1.22.Final
netty-4.1.23.Final
netty-4.1.24.Final
netty-4.1.25.Final
netty-4.1.26.Final
netty-4.1.27.Final
netty-4.1.28.Final
netty-4.1.29.Final
netty-4.1.3.Final
netty-4.1.30.Final
netty-4.1.31.Final
netty-4.1.32.Final
netty-4.1.33.Final
netty-4.1.34.Final
netty-4.1.35.Final
netty-4.1.36.Final
netty-4.1.37.Final
netty-4.1.38.Final
netty-4.1.39.Final
netty-4.1.4.Final
netty-4.1.40.Final
netty-4.1.41.Final
netty-4.1.42.Final
netty-4.1.43.Final
netty-4.1.44.Final
netty-4.1.45.Final
netty-4.1.46.Final
netty-4.1.47.Final
netty-4.1.48.Final
netty-4.1.49.Final
netty-4.1.5.Final
netty-4.1.50.Final
netty-4.1.51.Final
netty-4.1.52.Final
netty-4.1.53.Final
netty-4.1.54.Final
netty-4.1.55.Final
netty-4.1.56.Final
netty-4.1.57.Final
netty-4.1.58.Final
netty-4.1.59.Final
netty-4.1.6.Final
netty-4.1.60.Final
netty-4.1.61.Final
netty-4.1.62.Final
netty-4.1.63.Final
netty-4.1.64.Final
netty-4.1.65.Final
netty-4.1.66.Final
netty-4.1.67.Final
netty-4.1.68.Final
netty-4.1.69.Final
netty-4.1.7.Final
netty-4.1.70.Final
netty-4.1.8.Final
netty-4.1.9.Final
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"target": {
"function": "splitHeader",
"file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"
},
"source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323",
"digest": {
"length": 721.0,
"function_hash": "18233425441436127750782009070532165344"
},
"id": "CVE-2021-43797-06e8f123",
"signature_version": "v1",
"deprecated": false
},
{
"signature_type": "Function",
"target": {
"function": "testContentLengthHeaderAndChunked",
"file": "codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"
},
"source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323",
"digest": {
"length": 625.0,
"function_hash": "172481325208139734420814766658866698590"
},
"id": "CVE-2021-43797-1a525c75",
"signature_version": "v1",
"deprecated": false
},
{
"signature_type": "Line",
"target": {
"file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"
},
"source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323",
"digest": {
"line_hashes": [
"309063670718511852852130624213590019128",
"236028198603043349454850779406824610877",
"270842797415329582936981774885370126028",
"186080358750429610931052563775734784239",
"226215294083256624125810313988307288511",
"226227342066640177055081876388804373096",
"138994542358011796466486833744208061858",
"105230826901819499999452807477415866947",
"334664931806984178562747170361686518977",
"161248011630319998146678241255534469769",
"261672280417367862732224899564577162249",
"17628894065973736492298769263740826268",
"103878262630415130004754967443765499734",
"11026235238673042823005249559779410821",
"166716581219736466294267342503528367140",
"142448574484156466214458763293749879625",
"60843268908281218031061033820250491848"
],
"threshold": 0.9
},
"id": "CVE-2021-43797-26cc52ea",
"signature_version": "v1",
"deprecated": false
},
{
"signature_type": "Function",
"target": {
"function": "validateHeaderNameElement",
"file": "codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java"
},
"source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323",
"digest": {
"length": 425.0,
"function_hash": "269494387521881585452919491774019618154"
},
"id": "CVE-2021-43797-4a51298f",
"signature_version": "v1",
"deprecated": false
},
{
"signature_type": "Function",
"target": {
"function": "testWhitespaceBeforeTransferEncoding01",
"file": "codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"
},
"source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323",
"digest": {
"length": 181.0,
"function_hash": "120389524553676198839368369664138070526"
},
"id": "CVE-2021-43797-519021ec",
"signature_version": "v1",
"deprecated": false
},
{
"signature_type": "Line",
"target": {
"file": "codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java"
},
"source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323",
"digest": {
"line_hashes": [
"242725271108212257826686151719562831231",
"277129886284590452125535259180690183607",
"37624302477473825498411741862664336775",
"228917488556910377238465181157986725774",
"140034408903480898175462269668254395793",
"68545724326011841925920210003172109296",
"152338190554326077557988043637150582391",
"228917488556910377238465181157986725774"
],
"threshold": 0.9
},
"id": "CVE-2021-43797-51bcc4f8",
"signature_version": "v1",
"deprecated": false
},
{
"signature_type": "Function",
"target": {
"function": "testWhitespaceBeforeTransferEncoding02",
"file": "codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"
},
"source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323",
"digest": {
"length": 255.0,
"function_hash": "78882820443181217366376297190537956095"
},
"id": "CVE-2021-43797-6743f810",
"signature_version": "v1",
"deprecated": false
},
{
"signature_type": "Function",
"target": {
"function": "findNonWhitespace",
"file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java"
},
"source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323",
"digest": {
"length": 464.0,
"function_hash": "226325652847968273253557520703398600741"
},
"id": "CVE-2021-43797-896c8431",
"signature_version": "v1",
"deprecated": false
},
{
"signature_type": "Function",
"target": {
"function": "testInvalidHeaders0",
"file": "codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"
},
"source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323",
"digest": {
"length": 350.0,
"function_hash": "143355351109797365878732174997598858949"
},
"id": "CVE-2021-43797-89cf9790",
"signature_version": "v1",
"deprecated": false
},
{
"signature_type": "Line",
"target": {
"file": "codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java"
},
"source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323",
"digest": {
"line_hashes": [
"293566301854528473193701345220748168838",
"20493677530200135325719121561137500047",
"82344960543321320024408399124961733412",
"35637158797269933644520018473969402735",
"305950220969642324533573865219745257664",
"58081112648400015918910281176725437563",
"179050730279709306629066176660033019123",
"80143913047974372073414469457521783394",
"134919843011996964607502088886550557098",
"314471269814671764574450078684188688628",
"145458788300236256083064394210482398959",
"203505929758462516178032321139310340588",
"315989757269814039419848914586085166430",
"130910431073191905943905706865477642212",
"295279021656024965261560235598398861142",
"96053510847438498522627689639769355831",
"41606000927528761739111858373969682165",
"156109033474320444970105423142755047758",
"337890363482822668905493818716498701024",
"169870631923428948851627051058605385542",
"89943439626233183666145654945487999257",
"290012946538219556351694370753142870168",
"320931445265113101257787127976293787177",
"168085210419525997325080145804884642040",
"180226531019266707085505012886586320307",
"258175206180267023907493838535738061655",
"50103203110654270618969763800831939362",
"307126096742608635079049137510492356186",
"235725288567037057814612777792344782235"
],
"threshold": 0.9
},
"id": "CVE-2021-43797-bee6ba3d",
"signature_version": "v1",
"deprecated": false
},
{
"signature_type": "Line",
"target": {
"file": "codec-http/src/test/java/io/netty/handler/codec/http/HttpResponseDecoderTest.java"
},
"source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323",
"digest": {
"line_hashes": [
"327084716185792067665855380440375424198",
"280137859413748684000047352190436860807"
],
"threshold": 0.9
},
"id": "CVE-2021-43797-ccd3136b",
"signature_version": "v1",
"deprecated": false
},
{
"signature_type": "Function",
"target": {
"function": "validateHeaderNameElement",
"file": "codec-http/src/main/java/io/netty/handler/codec/http/DefaultHttpHeaders.java"
},
"source": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323",
"digest": {
"length": 423.0,
"function_hash": "270361193334713344899991966096587179287"
},
"id": "CVE-2021-43797-ecaa030e",
"signature_version": "v1",
"deprecated": false
}
]