← Back

CVE-2021-43797

nvd nist
Published: Dec 9, 2021Modified: Nov 21, 2024

JSON object

Loading...
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Exploitability: 2.8 / Impact: 3.6
Source: NVD

Description

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

Affected (22)

Show all products
Netty: Netty · Quarkus: Quarkus · Netapp: Oncommand Workflow Automation, Snapcenter · Oracle: Banking Deposits And Lines Of Credit Servicing, Banking Party Management, Banking Platform, Coherence, Communications Cloud Native Core Binding Support Function, Communications Cloud Native Core Network Slice Selection Function, Communications Cloud Native Core Policy, Communications Cloud Native Core Security Edge Protection Proxy, Communications Cloud Native Core Unified Data Repository, Communications Design Studio, Communications Instant Messaging Server, Helidon, Peoplesoft Enterprise Peopletools · Debian: Debian Linux
Netty
1 product
Netty
Quarkus
1 product
Quarkus
Netapp
2 products
Oncommand Workflow Automation
Snapcenter
Oracle
13 products
Banking Deposits And Lines Of Credit Servicing
Banking Party Management
Banking Platform
Coherence
Communications Cloud Native Core Binding Support Function
Communications Cloud Native Core Network Slice Selection Function
Communications Cloud Native Core Policy
Communications Cloud Native Core Security Edge Protection Proxy
Communications Cloud Native Core Unified Data Repository
Communications Design Studio
Communications Instant Messaging Server
Helidon
Peoplesoft Enterprise Peopletools
Debian
1 product
Debian Linux
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Netty
Before 4.1.71
Configuration B
1 vulnerable
Vulnerable SoftwareAffected Versions
Quarkus
Before 2.5.3
Configuration C
2 vulnerable
Vulnerable SoftwareAffected Versions
Oncommand Workflow Automation
All versions
Snapcenter
All versions
Configuration D
16 vulnerable
Vulnerable SoftwareAffected Versions
Banking Deposits And Lines Of Credit Servicing
Version 2.7
Banking Party Management
Version 2.7.0
Banking Platform
Version 2.6.2
Oracle
Coherence
Version 12.2.1.4.0
Coherence
Version 14.1.1.0.0
Communications Cloud Native Core Binding Support Function
Version 1.11.0
Communications Cloud Native Core Network Slice Selection Function
Version 1.8.0
Communications Cloud Native Core Policy
Version 1.15.0
Communications Cloud Native Core Security Edge Protection Proxy
Version 1.7.0
Communications Cloud Native Core Unified Data Repository
Version 1.15.0
Communications Design Studio
Version 7.4.2
Communications Instant Messaging Server
Version 8.1
Oracle
Helidon
Version 1.4.10
Helidon
Version 2.4.0
Oracle
Peoplesoft Enterprise Peopletools
Version 8.58
Peoplesoft Enterprise Peopletools
Version 8.59
Configuration E
2 vulnerable
Vulnerable SoftwareAffected Versions
Debian
Debian Linux
Version 10.0
Debian Linux
Version 11.0

Related CWEs

CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

References (14)

Source: security-advisories@github.com
PatchThird Party Advisory
Source: security-advisories@github.com
Third Party Advisory
Source: security-advisories@github.com
Mailing ListThird Party Advisory
Source: security-advisories@github.com
Third Party Advisory
Source: security-advisories@github.com
Third Party Advisory
Source: security-advisories@github.com
PatchThird Party Advisory
Source: security-advisories@github.com
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory

Timeline

No history available yet.