Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N
Vendors Products
Netty
  • Netty
Redhat
  • Openshift Application Runtimes Text-only Advisories
  • Jboss Enterprise Application Platform
  • Jboss Enterprise Application Platform Text-only Advisories
Fedoraproject
  • Fedora
Debian
  • Debian Linux

Configuration 1 [-]

cpe:2.3:a:netty:netty:4.1.43:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform_text-only_advisories:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_application_runtimes_text-only_advisories:-:*:*:*:*:*:*:*
References
Link Resource
https://access.redhat.com/errata/RHSA-2020:0497 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0567 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0601 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0605 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0606 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0804 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0805 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0806 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0811 Third Party Advisory
https://github.com/jdordonezn/CVE-2020-72381/issues/1 Exploit Third Party Advisory
https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05%40%3Ccommits.cassandra.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/
https://netty.io/news/ Vendor Advisory
https://www.debian.org/security/2021/dsa-4885 Third Party Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-01-27T16:43:44

Updated: 2021-05-26T16:06:13

Reserved: 2020-01-20T00:00:00

Link: CVE-2020-7238

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2020-01-27T17:15:12.277

Modified: 2023-11-07T03:25:43.583

Link: CVE-2020-7238

JSON object: View

cve-icon Redhat Information

No data.

CWE