CVE-2021-21409

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Published: Mar 30, 2021
Updated: Nov 8, 2023
CVE: CVE-2021-21409
GHSA: GHSA-f256-j965-7f32
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-444

Affected Software
References

Software	From	Fixed in
netty / netty	-	4.1.61
debian / debian_linux	10.0	10.0.x
oracle / coherence	12.2.1.4.0	12.2.1.4.0.x
oracle / coherence	14.1.1.0.0	14.1.1.0.0.x
oracle / banking_trade_finance_process_management	14.3.0	14.3.0.x
oracle / banking_credit_facilities_process_management	14.3.0	14.3.0.x
oracle / banking_corporate_lending_process_management	14.3.0	14.3.0.x
oracle / primavera_gateway	19.12.0	19.12.10.x
oracle / primavera_gateway	18.8.0	18.8.11.x
oracle / primavera_gateway	17.12.0	17.12.11.x
oracle / banking_trade_finance_process_management	14.5.0	14.5.0.x
oracle / banking_credit_facilities_process_management	14.2.0	14.2.0.x
oracle / banking_credit_facilities_process_management	14.5.0	14.5.0.x
oracle / banking_corporate_lending_process_management	14.2.0	14.2.0.x
oracle / banking_corporate_lending_process_management	14.5.0	14.5.0.x
oracle / banking_trade_finance_process_management	14.2.0	14.2.0.x
oracle / communications_messaging_server	8.1	8.1.x
oracle / communications_brm_-_elastic_charging_engine	12.0.0.3	12.0.0.3.x
oracle / communications_design_studio	7.4.2.0.0	7.4.2.0.0.x
oracle / communications_cloud_native_core_console	1.7.0	1.7.0.x
oracle / nosql_database	-	21.1.12
oracle / communications_cloud_native_core_policy	1.14.0	1.14.0.x
oracle / helidon	2.4.0	2.4.0.x
oracle / helidon	1.4.10	1.4.10.x
oracle / jd_edwards_enterpriseone_tools	-	9.2.6.3
quarkus / quarkus	-	1.13.7.x
io.netty / netty-codec-http2	-	4.1.61.Final

Vulnerability Database

289,571

CVE-2021-21409