Possible request smuggling in HTTP/2 due missing validation of content-length
CVE-2021-21409

5.9MEDIUM

Key Information:

Vendor
Netty
Status
Netty
Vendor
CVE Published:
30 March 2021

Summary

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Affected Version(s)

netty < 4.1.61.Final

References

https://github.com/netty/netty/security/advisories/GHSA-f...
x_refsource_CONFIRM
https://github.com/netty/netty/security/advisories/GHSA-w...
x_refsource_MISC
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2021-21409 : Possible request smuggling in HTTP/2 due missing validation of content-length | SecurityVulnerability.io