CVE-2021-21409 – io.netty:netty-codec-http2

Package

Manager: maven
Name: io.netty:netty-codec-http2
Vulnerable Version: >=4.0.0 <4.1.61.final

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.04983 pctl0.8928

Details

Possible request smuggling in HTTP/2 due missing validation of content-length ### Impact The content-length header is not correctly validated if the request only use a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1 This is a followup of https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj which did miss to fix this one case. ### Patches This was fixed as part of 4.1.61.Final ### Workarounds Validation can be done by the user before proxy the request by validating the header.

Metadata

Created: 2021-03-30T15:10:38Z
Modified: 2022-02-08T21:31:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json
CWE IDs: ["CWE-444"]
Alternative ID: GHSA-f256-j965-7f32
Finding: F110
Auto approve: 1