HTTP Request Smuggling in Netty
High severity
GitHub Reviewed
Published
Feb 21, 2020
to the GitHub Advisory Database
•
Updated Feb 1, 2023
Package
Affected versions
>= 4.1.43, <= 4.1.44
Patched versions
4.1.45
Description
Published by the National Vulnerability Database
Jan 27, 2020
Reviewed
Feb 20, 2020
Published to the GitHub Advisory Database
Feb 21, 2020
Last updated
Feb 1, 2023
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
References