Possible request smuggling in HTTP/2 due missing validation of content-length
CVE-2021-21409

5.9MEDIUM

Key Information:

Vendor

Netty

Status
Netty
Vendor
CVE Published:
30 March 2021

What is CVE-2021-21409?

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

netty < 4.1.61.Final

References

https://github.com/netty/netty/security/advisories/GHSA-f...
x_refsource_CONFIRM
https://github.com/netty/netty/security/advisories/GHSA-w...
x_refsource_MISC
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.