1. Home
  2. Vulnerabilities
  3. CVE-2021-21409

CVE-2021-21409

CVSS v3.1 5.9 (Medium)
59% Progress
CVSS v2.0 4.3 (Medium)
43% Progress
EPSS 1.80 % (88th)
1.80% Progress
Affected Products 18
Advisories 5
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Weaknesses
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Related CVEs
CVE Status
PUBLISHED
CNA
GitHub, Inc.
Published Date
2021-03-30 15:15:14
(3 years ago)
Updated Date
2023-11-07 03:30:00
(10 months ago)

Affected Products

Debian

Netapp

Netty

Oracle

Quarkus

Configuration #1

    CPE23 From Up To
  Netty prior 4.1.61 version cpe:2.3:a:netty:netty < 4.1.61

Configuration #2

    CPE23 From Up To
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0

Configuration #3

    CPE23 From Up To
  Netapp Oncommand Api Services cpe:2.3:a:netapp:oncommand_api_services:-
  Netapp Oncommand Workflow Automation cpe:2.3:a:netapp:oncommand_workflow_automation:-

Configuration #4

    CPE23 From Up To
  Oracle Banking Corporate Lending Process Management 14.2.0 cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0
  Oracle Banking Corporate Lending Process Management 14.3.0 cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0
  Oracle Banking Corporate Lending Process Management 14.5.0 cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0
  Oracle Banking Credit Facilities Process Management 14.2.0 cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0
  Oracle Banking Credit Facilities Process Management 14.3.0 cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0
  Oracle Banking Credit Facilities Process Management 14.5.0 cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0
  Oracle Banking Trade Finance Process Management 14.2.0 cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0
  Oracle Banking Trade Finance Process Management 14.3.0 cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0
  Oracle Banking Trade Finance Process Management 14.5.0 cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0
  Oracle Coherence 12.2.1.4.0 cpe:2.3:a:oracle:coherence:12.2.1.4.0
  Oracle Coherence 14.1.1.0.0 cpe:2.3:a:oracle:coherence:14.1.1.0.0
  Oracle Communications Brm - Elastic Charging Engine 12.0.0.3 cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3
  Oracle Communications Cloud Native Core Console 1.7.0 cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0
  Oracle Communications Cloud Native Core Policy 1.14.0 cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0
  Oracle Communications Design Studio 7.4.2.0.0 cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0
  Oracle Communications Messaging Server 8.1 cpe:2.3:a:oracle:communications_messaging_server:8.1
  Oracle Helidon 1.4.10 cpe:2.3:a:oracle:helidon:1.4.10
  Oracle Helidon 2.4.0 cpe:2.3:a:oracle:helidon:2.4.0
  Oracle Jd Edwards Enterpriseone Tools prior 9.2.6.3 version cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools < 9.2.6.3
  Oracle Nosql Database prior 21.1.12 version cpe:2.3:a:oracle:nosql_database < 21.1.12
  Oracle Primavera Gateway from 17.12.0 version and 17.12.11 and prior versions cpe:2.3:a:oracle:primavera_gateway >= 17.12.0 <= 17.12.11
  Oracle Primavera Gateway from 18.8.0 version and 18.8.11 and prior versions cpe:2.3:a:oracle:primavera_gateway >= 18.8.0 <= 18.8.11
  Oracle Primavera Gateway from 19.12.0 version and 19.12.10 and prior versions cpe:2.3:a:oracle:primavera_gateway >= 19.12.0 <= 19.12.10

Configuration #5

    CPE23 From Up To
  Quarkus 1.13.7 and prior versions cpe:2.3:a:quarkus:quarkus <= 1.13.7