CVE-2020-7238

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

CVSS v3.0 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/jdordonezn/CVE-2020-72381/issues/1	Exploit Third Party Advisory
https://netty.io/news/	Vendor Advisory
https://access.redhat.com/errata/RHSA-2020:0497	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html	Mailing List Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0601	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0606	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0605	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0567	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0804	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0805	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0811	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0806	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/	Mailing List Third Party Advisory
https://www.debian.org/security/2021/dsa-4885	Third Party Advisory
https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05@%3Ccommits.cassandra.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7@%3Ccommits.cassandra.apache.org%3E	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:netty:netty:4.1.43:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 3 (hide)

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 4 (hide)

OR	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform_text-only_advisories:-:::::::*
	cpe:2.3:a:redhat:openshift_application_runtimes_text-only_advisories:-:::::::*

Information

Published : 2020-01-27 09:15

Updated : 2021-05-27 09:21

NVD link : CVE-2020-7238

Mitre link : CVE-2020-7238

JSON object : View

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Products Affected

netty

netty

redhat

jboss_enterprise_application_platform
jboss_enterprise_application_platform_text-only_advisories
openshift_application_runtimes_text-only_advisories

fedoraproject

fedora

debian

debian_linux

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2020-7238

7.5^/10

5.0^/10

Attach tags to `CVE-2020-7238`