6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
61.7%
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers &
clients. Netty prior to version 4.1.71.Final skips control chars when they
are present at the beginning / end of the header name. It should instead
fail fast as these are not allowed by the spec and could lead to HTTP
request smuggling. Failing to do the validation might cause netty to
“sanitize” header names before it forward these to another remote system
when used as proxy. This remote system can’t see the invalid usage anymore,
and therefore does not do the validation itself. Users should upgrade to
version 4.1.71.Final.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | netty | < 1:4.1.7-4ubuntu0.1+esm2 | UNKNOWN |
ubuntu | 20.04 | noarch | netty | < 1:4.1.45-1ubuntu0.1~esm1 | UNKNOWN |
ubuntu | 22.04 | noarch | netty | < 1:4.1.48-4+deb11u1build0.22.04.1 | UNKNOWN |
ubuntu | 22.10 | noarch | netty | < 1:4.1.48-5ubuntu0.1 | UNKNOWN |
ubuntu | 23.10 | noarch | netty | < any | UNKNOWN |
ubuntu | 14.04 | noarch | netty | < any | UNKNOWN |
ubuntu | 16.04 | noarch | netty | < 1:4.0.34-1ubuntu0.1~esm1 | UNKNOWN |
github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323 (netty-4.1.71.Final)
github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
launchpad.net/bugs/cve/CVE-2021-43797
nvd.nist.gov/vuln/detail/CVE-2021-43797
security-tracker.debian.org/tracker/CVE-2021-43797
ubuntu.com/security/notices/USN-6049-1
www.cve.org/CVERecord?id=CVE-2021-43797
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
61.7%