Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Information
Published : 2021-03-30 08:15
Updated : 2022-05-12 07:35
NVD link : CVE-2021-21409
Mitre link : CVE-2021-21409
JSON object : View
CWE
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Products Affected
netapp
- oncommand_workflow_automation
- oncommand_api_services
oracle
- banking_credit_facilities_process_management
- communications_messaging_server
- communications_cloud_native_core_console
- banking_corporate_lending_process_management
- communications_design_studio
- coherence
- communications_brm_-_elastic_charging_engine
- primavera_gateway
- nosql_database
- jd_edwards_enterpriseone_tools
- helidon
- banking_trade_finance_process_management
- communications_cloud_native_core_policy
netty
- netty
quarkus
- quarkus
debian
- debian_linux