GHSA-cqqj-4p63-rrmm

Source

https://github.com/advisories/GHSA-cqqj-4p63-rrmm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-cqqj-4p63-rrmm

Aliases

CVE-2019-20444

Related

CGA-gg6m-vh7x-6jr4

Published

2020-02-21T18:55:24Z

Modified

2025-07-02T16:46:54.908973Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

HTTP Request Smuggling in Netty

Details

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

Database specific

{
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-444"
    ],
    "nvd_published_at": "2020-01-29T21:15:00Z",
    "github_reviewed_at": "2020-02-20T20:54:33Z",
    "github_reviewed": true
}

References

Affected packages

Maven / io.netty:netty-codec-http

Package

Name: io.netty:netty-codec-http; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty-codec-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.44

Affected versions

4.*

4.0.0.Alpha1

4.0.0.Alpha2

4.0.0.Alpha3

4.0.0.Alpha4

4.0.0.Alpha5

4.0.0.Alpha6

4.0.0.Alpha7

4.0.0.Alpha8

4.0.0.Beta1

4.0.0.Beta2

4.0.0.Beta3

4.0.0.CR1

4.0.0.CR2

4.0.0.CR3

4.0.0.CR4

4.0.0.CR5

4.0.0.CR6

4.0.0.CR7

4.0.0.CR8

4.0.0.CR9

4.0.0.Final

4.0.1.Final

4.0.2.Final

4.0.3.Final

4.0.4.Final

4.0.5.Final

4.0.6.Final

4.0.7.Final

4.0.8.Final

4.0.9.Final

4.0.10.Final

4.0.11.Final

4.0.12.Final

4.0.13.Final

4.0.14.Beta1

4.0.14.Final

4.0.15.Final

4.0.16.Final

4.0.17.Final

4.0.18.Final

4.0.19.Final

4.0.20.Final

4.0.21.Final

4.0.22.Final

4.0.23.Final

4.0.24.Final

4.0.25.Final

4.0.26.Final

4.0.27.Final

4.0.28.Final

4.0.29.Final

4.0.30.Final

4.0.31.Final

4.0.32.Final

4.0.33.Final

4.0.34.Final

4.0.35.Final

4.0.36.Final

4.0.37.Final

4.0.38.Final

4.0.39.Final

4.0.40.Final

4.0.41.Final

4.0.42.Final

4.0.43.Final

4.0.44.Final

4.0.45.Final

4.0.46.Final

4.0.47.Final

4.0.48.Final

4.0.49.Final

4.0.50.Final

4.0.51.Final

4.0.52.Final

4.0.53.Final

4.0.54.Final

4.0.55.Final

4.0.56.Final

4.1.0.Beta1

4.1.0.Beta2

4.1.0.Beta3

4.1.0.Beta4

4.1.0.Beta5

4.1.0.Beta6

4.1.0.Beta7

4.1.0.Beta8

4.1.0.CR1

4.1.0.CR2

4.1.0.CR3

4.1.0.CR4

4.1.0.CR5

4.1.0.CR6

4.1.0.CR7

4.1.0.Final

4.1.1.Final

4.1.2.Final

4.1.3.Final

4.1.4.Final

4.1.5.Final

4.1.6.Final

4.1.7.Final

4.1.8.Final

4.1.9.Final

4.1.10.Final

4.1.11.Final

4.1.12.Final

4.1.13.Final

4.1.14.Final

4.1.15.Final

4.1.16.Final

4.1.17.Final

4.1.18.Final

4.1.19.Final

4.1.20.Final

4.1.21.Final

4.1.22.Final

4.1.23.Final

4.1.24.Final

4.1.25.Final

4.1.26.Final

4.1.27.Final

4.1.28.Final

4.1.29.Final

4.1.30.Final

4.1.31.Final

4.1.32.Final

4.1.33.Final

4.1.34.Final

4.1.35.Final

4.1.36.Final

4.1.37.Final

4.1.38.Final

4.1.39.Final

4.1.40.Final

4.1.41.Final

4.1.42.Final

4.1.43.Final

Maven / org.jboss.netty:netty

Package

Name: org.jboss.netty:netty; View open source insights on deps.dev
Purl: pkg:maven/org.jboss.netty/netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.0.CR1

3.0.0.CR2

3.0.0.CR3

3.0.0.CR4

3.0.0.CR5

3.0.0.GA

3.0.1.GA

3.0.2.GA

3.1.0.ALPHA1

3.1.0.ALPHA2

3.1.0.ALPHA3

3.1.0.ALPHA4

3.1.0.BETA1

3.1.0.BETA2

3.1.0.BETA3

3.1.0.CR1

3.1.0.GA

3.1.1.GA

3.1.2.GA

3.1.3.GA

3.1.4.GA

3.1.5.GA

3.2.0.ALPHA1

3.2.0.ALPHA2

3.2.0.ALPHA3

3.2.0.ALPHA4

3.2.0.BETA1

3.2.0.CR1

3.2.0.Final

3.2.1.Final

3.2.2.Final

3.2.3.Final

3.2.4.Final

3.2.5.Final

3.2.6.Final

3.2.7.Final

3.2.8.Final

3.2.9.Final

3.2.10.Final

Database specific

last_known_affected_version_range

"< 4.0.0"

Maven / io.netty:netty

Package

Name: io.netty:netty; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.3.0.Final

3.3.1.Final

3.4.0.Alpha1

3.4.0.Alpha2

3.4.0.Beta1

3.4.0.Final

3.4.1.Final

3.4.2.Final

3.4.3.Final

3.4.4.Final

3.4.5.Final

3.4.6.Final

3.5.0.Beta1

3.5.0.Final

3.5.1.Final

3.5.2.Final

3.5.3.Final

3.5.4.Final

3.5.5.Final

3.5.6.Final

3.5.7.Final

3.5.8.Final

3.5.9.Final

3.5.10.Final

3.5.11.Final

3.5.12.Final

3.5.13.Final

3.6.0.Beta1

3.6.0.Final

3.6.1.Final

3.6.2.Final

3.6.3.Final

3.6.4.Final

3.6.5.Final

3.6.6.Final

3.6.7.Final

3.6.8.Final

3.6.9.Final

3.6.10.Final

3.7.0.Final

3.7.1.Final

3.8.0.Final

3.8.1.Final

3.8.2.Final

3.8.3.Final

3.9.0.Final

3.9.1.Final

3.9.1.1.Final

3.9.2.Final

3.9.3.Final

3.9.4.Final

3.9.5.Final

3.9.6.Final

3.9.7.Final

3.9.8.Final

3.9.9.Final

3.10.0.Final

3.10.1.Final

3.10.2.Final

3.10.3.Final

3.10.4.Final

3.10.5.Final

3.10.6.Final

4.*

4.0.0.Alpha1

4.0.0.Alpha2

4.0.0.Alpha3

4.0.0.Alpha4

4.0.0.Alpha5

4.0.0.Alpha6

4.0.0.Alpha7

4.0.0.Alpha8

Database specific

last_known_affected_version_range

"< 4.0.0"