CVE-2021-43797

Published: Dic 09, 2021 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2021-2607 Aliases: GHSA-wx5j-54mm-rqqq
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: unchanged
Confidentiality: none
Integrity: high
Availability: none
MEDIUM 4,3
Source: [email protected]
Access Vector: network
Access Complexity: medium
Authentication: none
Confidentiality: none
Integrity: partial
Availability: none

Description

AI Translation Available

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to 'sanitize' header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0042
Percentile
0,6th
Updated

EPSS Score Trend (Last 90 Days)

444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Non-Repudiation Access Control
Potential Impacts:
Unexpected State Hide Activities Bypass Protection Mechanism
Applicable Platforms
Technologies: Web Based, Web Server
View CWE Details
Operating System

Debian Linux by Debian

Product Information
Vendor Debian
Product Debian Linux
Version 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Binding Support Function by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Binding Support Function
Version 1.11.0
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Banking Platform by Oracle

Product Information
Vendor Oracle
Product Banking Platform
Version 2.6.2
cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Coherence by Oracle

Product Information
Vendor Oracle
Product Coherence
Version 12.2.1.4.0
cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Network Slice Selection Function by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Network Slice Selection Function
Version 1.8.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Instant Messaging Server by Oracle

Product Information
Vendor Oracle
Product Communications Instant Messaging Server
Version 8.1
cpe:2.3:a:oracle:communications_instant_messaging_server:8.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Helidon by Oracle

Product Information
Vendor Oracle
Product Helidon
Version 1.4.10
cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Oncommand Workflow Automation by Netapp

Product Information
Vendor Netapp
Product Oncommand Workflow Automation
Version -
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Coherence by Oracle

Product Information
Vendor Oracle
Product Coherence
Version 14.1.1.0.0
cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Quarkus by Quarkus

Product Information
Vendor Quarkus
Product Quarkus
Version Range Affected
To 2.5.3 (exclusive)
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Helidon by Oracle

Product Information
Vendor Oracle
Product Helidon
Version 2.4.0
cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Design Studio by Oracle

Product Information
Vendor Oracle
Product Communications Design Studio
Version 7.4.2
cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Policy by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Policy
Version 1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Security Edge Protection Proxy by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Security Edge Protection Proxy
Version 1.7.0
cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Snapcenter by Netapp

Product Information
Vendor Netapp
Product Snapcenter
Version -
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Banking Party Management by Oracle

Product Information
Vendor Oracle
Product Banking Party Management
Version 2.7.0
cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Cloud Native Core Unified Data Repository by Oracle

Product Information
Vendor Oracle
Product Communications Cloud Native Core Unified Data Repository
Version 1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Peoplesoft Enterprise Peopletools by Oracle

Product Information
Vendor Oracle
Product Peoplesoft Enterprise Peopletools
Version 8.59
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Peoplesoft Enterprise Peopletools by Oracle

Product Information
Vendor Oracle
Product Peoplesoft Enterprise Peopletools
Version 8.58
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Banking Deposits And Lines Of Credit Servicing by Oracle

Product Information
Vendor Oracle
Product Banking Deposits And Lines Of Credit Servicing
Version 2.7
cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.7:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Netty by Netty

Product Information
Vendor Netty
Product Netty
Version Range Affected
To 4.1.71 (exclusive)
cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Debian Linux by Debian

Product Information
Vendor Debian
Product Debian Linux
Version 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a658…
Patch Third Party Advisory
https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
https://github.com/netty/netty/security/advisories/GHSA-wx5…
Third Party Advisory
https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
https://lists.debian.org/debian-lts-announce/2023/01/msg000…
Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
https://security.netapp.com/advisory/ntap-20220107-0003/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220107-0003/
https://www.debian.org/security/2023/dsa-5316
Third Party Advisory
https://www.debian.org/security/2023/dsa-5316
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a658…
Patch Third Party Advisory
https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
https://github.com/netty/netty/security/advisories/GHSA-wx5…
Third Party Advisory
https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
https://lists.debian.org/debian-lts-announce/2023/01/msg000…
Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
https://security.netapp.com/advisory/ntap-20220107-0003/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220107-0003/
https://www.debian.org/security/2023/dsa-5316
Third Party Advisory
https://www.debian.org/security/2023/dsa-5316
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html