CVE-2020-7238

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
HTTP Request/Response Smuggling
Severity
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Atk. Vector
NETWORK
Atk. Complexity
LOW
Priv. Required
NONE
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
VendorProductVersion
nettynetty
4.1.43
debiandebian_linux
8.0
debiandebian_linux
9.0
debiandebian_linux
10.0
redhatjboss_enterprise_application_platform
7.2
redhatjboss_enterprise_application_platform
7.3
redhatjboss_enterprise_application_platform
7.4
redhatjboss_enterprise_application_platform_text-only_advisories
-
redhatopenshift_application_runtimes_text-only_advisories
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
netty
bullseye (security)
1:4.1.48-4+deb11u2
fixed
bullseye
1:4.1.48-4+deb11u2
fixed
stretch
not-affected
bookworm
1:4.1.48-7+deb12u1
fixed
bookworm (security)
1:4.1.48-7+deb12u1
fixed
sid
1:4.1.48-10
fixed
trixie
1:4.1.48-10
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
netty
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
ignored
bionic
needs-triage
xenial
needs-triage
trusty
Fixed 1:3.2.6.Final-2+deb8u2build0.14.04.1~esm1
released
netty-3.9
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
eoan
dne
bionic
not-affected
xenial
Fixed 3.9.0.Final-1ubuntu0.1
released
trusty
dne