Lucene search

K
redhatcveRedhat.comRH:CVE-2019-20444
HistoryJul 18, 2021 - 12:29 a.m.

CVE-2019-20444

2021-07-1800:29:58
redhat.com
access.redhat.com
53
http smuggling
httpobjectdecoder
netty
data integrity
mitigation
http/2
backend connections
haproxy

EPSS

0.012

Percentile

85.6%

A HTTP smuggling flaw was found in HttpObjectDecoder.java in Netty in versions prior to version 4.1.44. HTTP headers with an invalid fold, in this case CRLF (carriage return, line feed) without being followed by SP (space) or HTAB (horizontal tab), result in situations where headers can be misread. Data integrity is the highest threat with this vulnerability.

Mitigation

  • Use HTTP/2 instead (clear boundaries between requests)

  • Disable reuse of backend connections eg.

    http-reuse never

in HAProxy or whatever equivalent LB settings