GHSA-f256-j965-7f32

Source

https://github.com/advisories/GHSA-f256-j965-7f32

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f256-j965-7f32

Aliases

Related

CGA-494w-f4g6-835m

Published

2021-03-30T15:10:38Z

Modified

2024-08-01T07:13:04.232041Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Possible request smuggling in HTTP/2 due missing validation of content-length

Details

Impact

The content-length header is not correctly validated if the request only use a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1

This is a followup of https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj which did miss to fix this one case.

Patches

This was fixed as part of 4.1.61.Final

Workarounds

Validation can be done by the user before proxy the request by validating the header.

References

Affected packages

Maven / io.netty:netty-codec-http2

Package

Name: io.netty:netty-codec-http2; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty-codec-http2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.1.61.Final

Affected versions

4.*

4.1.0.Beta4

4.1.0.Beta5

4.1.0.Beta6

4.1.0.Beta7

4.1.0.Beta8

4.1.0.CR1

4.1.0.CR2

4.1.0.CR3

4.1.0.CR4

4.1.0.CR5

4.1.0.CR6

4.1.0.CR7

4.1.0.Final

4.1.1.Final

4.1.2.Final

4.1.3.Final

4.1.4.Final

4.1.5.Final

4.1.6.Final

4.1.7.Final

4.1.8.Final

4.1.9.Final

4.1.10.Final

4.1.11.Final

4.1.12.Final

4.1.13.Final

4.1.14.Final

4.1.15.Final

4.1.16.Final

4.1.17.Final

4.1.18.Final

4.1.19.Final

4.1.20.Final

4.1.21.Final

4.1.22.Final

4.1.23.Final

4.1.24.Final

4.1.25.Final

4.1.26.Final

4.1.27.Final

4.1.28.Final

4.1.29.Final

4.1.30.Final

4.1.31.Final

4.1.32.Final

4.1.33.Final

4.1.34.Final

4.1.35.Final

4.1.36.Final

4.1.37.Final

4.1.38.Final

4.1.39.Final

4.1.40.Final

4.1.41.Final

4.1.42.Final

4.1.43.Final

4.1.44.Final

4.1.45.Final

4.1.46.Final

4.1.47.Final

4.1.48.Final

4.1.49.Final

4.1.50.Final

4.1.51.Final

4.1.52.Final

4.1.53.Final

4.1.54.Final

4.1.55.Final

4.1.56.Final

4.1.57.Final

4.1.58.Final

4.1.59.Final

4.1.60.Final

Maven / org.jboss.netty:netty

Package

Name: org.jboss.netty:netty; View open source insights on deps.dev
Purl: pkg:maven/org.jboss.netty/netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.0.CR1

3.0.0.CR2

3.0.0.CR3

3.0.0.CR4

3.0.0.CR5

3.0.0.GA

3.0.1.GA

3.0.2.GA

3.1.0.ALPHA1

3.1.0.ALPHA2

3.1.0.ALPHA3

3.1.0.ALPHA4

3.1.0.BETA1

3.1.0.BETA2

3.1.0.BETA3

3.1.0.CR1

3.1.0.GA

3.1.1.GA

3.1.2.GA

3.1.3.GA

3.1.4.GA

3.1.5.GA

3.2.0.ALPHA1

3.2.0.ALPHA2

3.2.0.ALPHA3

3.2.0.ALPHA4

3.2.0.BETA1

3.2.0.CR1

3.2.0.Final

3.2.1.Final

3.2.2.Final

3.2.3.Final

3.2.4.Final

3.2.5.Final

3.2.6.Final

3.2.7.Final

3.2.8.Final

3.2.9.Final

3.2.10.Final

Database specific

{
    "last_known_affected_version_range": "< 4.0.0"
}

Maven / io.netty:netty

Package

Name: io.netty:netty; View open source insights on deps.dev
Purl: pkg:maven/io.netty/netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.3.0.Final

3.3.1.Final

3.4.0.Alpha1

3.4.0.Alpha2

3.4.0.Beta1

3.4.0.Final

3.4.1.Final

3.4.2.Final

3.4.3.Final

3.4.4.Final

3.4.5.Final

3.4.6.Final

3.5.0.Beta1

3.5.0.Final

3.5.1.Final

3.5.2.Final

3.5.3.Final

3.5.4.Final

3.5.5.Final

3.5.6.Final

3.5.7.Final

3.5.8.Final

3.5.9.Final

3.5.10.Final

3.5.11.Final

3.5.12.Final

3.5.13.Final

3.6.0.Beta1

3.6.0.Final

3.6.1.Final

3.6.2.Final

3.6.3.Final

3.6.4.Final

3.6.5.Final

3.6.6.Final

3.6.7.Final

3.6.8.Final

3.6.9.Final

3.6.10.Final

3.7.0.Final

3.7.1.Final

3.8.0.Final

3.8.1.Final

3.8.2.Final

3.8.3.Final

3.9.0.Final

3.9.1.Final

3.9.1.1.Final

3.9.2.Final

3.9.3.Final

3.9.4.Final

3.9.5.Final

3.9.6.Final

3.9.7.Final

3.9.8.Final

3.9.9.Final

3.10.0.Final

3.10.1.Final

3.10.2.Final

3.10.3.Final

3.10.4.Final

3.10.5.Final

3.10.6.Final

4.*

4.0.0.Alpha1

4.0.0.Alpha2

4.0.0.Alpha3

4.0.0.Alpha4

4.0.0.Alpha5

4.0.0.Alpha6

4.0.0.Alpha7

4.0.0.Alpha8

Database specific

{
    "last_known_affected_version_range": "< 4.0.0"
}