Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-43797

Good to know:

icon
icon

Date: December 8, 2021

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. After conducting further research, Mend has determined that all versions of netty up to version 4.1.71.Final are vulnerable to CVE-2021-43797.

Language: Java

Severity Score

Related Resources (13)

https://security.netapp.com/advisory/ntap-20220107-0003
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
https://nvd.nist.gov/vuln/detail/CVE-2021-43797
https://security-tracker.debian.org/tracker/CVE-2021-43797
https://github.com/netty/netty/pull/11891
https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
https://security.netapp.com/advisory/ntap-20220107-0003/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
https://www.oracle.com/security-alerts/cpujul2022.html
https://github.com/netty/netty
https://www.debian.org/security/2023/dsa-5316
https://www.mend.io/vulnerability-database/CVE-2021-43797

Severity Score

Weakness Type (CWE)

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CWE-444

Top Fix

icon

Upgrade Version

Upgrade to version io.netty:netty-codec-http:4.1.71.Final

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us