CVE-2021-43797

EPSS 0.18%
Veröffentlicht 09.12.2021 19:15:07
Zuletzt bearbeitet 21.11.2024 06:29:48
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Netty ≫ Netty Version < 4.1.71

Quarkus ≫ Quarkus Version < 2.5.3

Netapp ≫ Oncommand Workflow Automation Version-

Netapp ≫ Snapcenter Version-

Oracle ≫ Banking Deposits And Lines Of Credit Servicing Version2.7

Oracle ≫ Banking Party Management Version2.7.0

Oracle ≫ Banking Platform Version2.6.2

Oracle ≫ Coherence Version12.2.1.4.0

Oracle ≫ Coherence Version14.1.1.0.0

Oracle ≫ Communications Cloud Native Core Binding Support Function Version1.11.0

Oracle ≫ Communications Cloud Native Core Network Slice Selection Function Version1.8.0

Oracle ≫ Communications Cloud Native Core Policy Version1.15.0

Oracle ≫ Communications Cloud Native Core Security Edge Protection Proxy Version1.7.0

Oracle ≫ Communications Cloud Native Core Unified Data Repository Version1.15.0

Oracle ≫ Communications Design Studio Version7.4.2

Oracle ≫ Communications Instant Messaging Server Version8.1

Oracle ≫ Helidon Version1.4.10

Oracle ≫ Helidon Version2.4.0

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.58

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.59

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.396

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Patch

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html

Third Party Advisory

Mailing List

https://www.debian.org/security/2023/dsa-5316

Third Party Advisory

https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323