CVE-2021-21409
CVSS v3.1
5.9 (Medium)
CVSS v2.0
4.3 (Medium)
EPSS
1.80 % (88th)
Affected Products
18
Advisories
5
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
Weaknesses
- CWE-444
- Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Related CVEs
- CVE Status
- PUBLISHED
- CNA
- GitHub, Inc.
- Published Date
-
2021-03-30 15:15:14
(3 years ago) - Updated Date
-
2023-11-07 03:30:00
(10 months ago)
Affected Products
- Banking Corporate Lending Process Management
- Banking Credit Facilities Process Management
- Banking Trade Finance Process Management
- Coherence
- Communications Brm - Elastic Charging Engine
- Communications Cloud Native Core Console
- Communications Cloud Native Core Policy
- Communications Design Studio
- Communications Messaging Server
- Helidon
- Jd Edwards Enterpriseone Tools
- Nosql Database
- Primavera Gateway
Loading...
Loading...
Loading...
Configuration #1
|
Configuration #2
|
Configuration #3
|
Configuration #4
|
Configuration #5
|
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...