CVE-2021-21409

EPSS 4.98%
Published 30.03.2021 15:15:14
Last modified 21.11.2024 05:48:17
Source security-advisories@github.com
Teams watchlist Login
Open Login

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Affected products Warnungen 0 Metrics 4 CWE 1 References 62

Data is provided by the National Vulnerability Database (NVD)

Netty ≫ Netty Version < 4.1.61

Debian ≫ Debian Linux Version10.0

Netapp ≫ Oncommand Api Services Version-

Netapp ≫ Oncommand Workflow Automation Version-

Oracle ≫ Banking Corporate Lending Process Management Version14.2.0

Oracle ≫ Banking Corporate Lending Process Management Version14.3.0

Oracle ≫ Banking Corporate Lending Process Management Version14.5.0

Oracle ≫ Banking Credit Facilities Process Management Version14.2.0

Oracle ≫ Banking Credit Facilities Process Management Version14.3.0

Oracle ≫ Banking Credit Facilities Process Management Version14.5.0

Oracle ≫ Banking Trade Finance Process Management Version14.2.0

Oracle ≫ Banking Trade Finance Process Management Version14.3.0

Oracle ≫ Banking Trade Finance Process Management Version14.5.0

Oracle ≫ Coherence Version12.2.1.4.0

Oracle ≫ Coherence Version14.1.1.0.0

Oracle ≫ Communications Brm - Elastic Charging Engine Version12.0.0.3

Oracle ≫ Communications Cloud Native Core Console Version1.7.0

Oracle ≫ Communications Cloud Native Core Policy Version1.14.0

Oracle ≫ Communications Design Studio Version7.4.2.0.0

Oracle ≫ Communications Messaging Server Version8.1

Oracle ≫ Helidon Version1.4.10

Oracle ≫ Helidon Version2.4.0

Oracle ≫ Jd Edwards Enterpriseone Tools Version < 9.2.6.3

Oracle ≫ Nosql Database Version < 21.1.12

Oracle ≫ Primavera Gateway Version >= 17.12.0 <= 17.12.11

Oracle ≫ Primavera Gateway Version >= 18.8.0 <= 18.8.11

Oracle ≫ Primavera Gateway Version >= 19.12.0 <= 19.12.10

Quarkus ≫ Quarkus Version <= 1.13.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	4.98%	0.893

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
security-advisories@github.com	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory