6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
61.7%
Netty currently just skips control chars when these are present at the beginning / end of the header name. We should better fail fast as these are not allowed by the spec and could lead to HTTP request smuggling.
Failing to do the validation might cause netty to “sanitize” header names before it forward these to another remote system when used as proxy. This remote system can’t see the invalid usage anymore and so not do the validation itself.
CPE | Name | Operator | Version |
---|---|---|---|
io.netty:netty | lt | 4.0.0 | |
org.jboss.netty:netty | lt | 4.0.0 | |
io.netty:netty-codec-http | lt | 4.1.71.Final |
github.com/advisories/GHSA-wx5j-54mm-rqqq
github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
github.com/netty/netty/pull/11891
github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
lists.debian.org/debian-lts-announce/2023/01/msg00008.html
nvd.nist.gov/vuln/detail/CVE-2021-43797
security.netapp.com/advisory/ntap-20220107-0003/
www.debian.org/security/2023/dsa-5316
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/security-alerts/cpujul2022.html
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
61.7%