Page 4 of 21 results (0.015 seconds)

CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 1

CVE-2020-7238 – netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling

https://notcve.org/view.php?id=CVE-2020-7238

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. Netty versión 4.1.43.Final, permite el tráfico no autorizado de peticiones HTTP porque maneja inapropiadamente el espacio en blanco de Transfer-Encoding (tal y como una línea [space]Transfer-Encoding:chunked) y un encabezado Content-Length posterior. Este problema existe debido a una corrección incompleta para el CVE-2019-16869. A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. • https://access.redhat.com/errata/RHSA-2020:0497 https://access.redhat.com/errata/RHSA-2020:0567 https://access.redhat.com/errata/RHSA-2020:0601 https://access.redhat.com/errata/RHSA-2020:0605 https://access.redhat.com/errata/RHSA-2020:0606 https://access.redhat.com/errata/RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0806 https://access.redhat.com/errata/RHSA-2020:0811 https://github.com/jdordonezn/CVE-2020&# • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: 7.5EPSS: 1%CPEs: 11EXPL: 1

CVE-2019-16869 – netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers

https://notcve.org/view.php?id=CVE-2019-16869

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. Netty versiones anteriores a 4.1.42.Final, maneja inapropiadamente los espacios en blanco antes de los dos puntos en los encabezados HTTP (tal y como una línea "Transfer-Encoding : chunked"), lo que conlleva al tráfico no autorizado de peticiones HTTP. A flaw was found in Netty, where whitespace before the colon in HTTP headers is mishandled. This flaw allows an attacker to cause HTTP request smuggling. • https://access.redhat.com/errata/RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:3901 https://access.redhat.com/errata/RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0445 https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final https://github.com/netty/netty/issues/9571 https& • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: 7.5EPSS: 0%CPEs: 110EXPL: 0

CVE-2015-2156

https://notcve.org/view.php?id=CVE-2015-2156

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. Netty en versiones anteriores a la 3.9.8.Final, 3.10.x anteriores a la 3.10.3.Final, 4.0.x anteriores a la 4.0.28.Final y 4.1.x anteriores a la 4.1.0.Beta5 y Play Framework 2.x en versiones anteriores a la 2.3.9 podría permitir que atacantes remotos omitan el indicador httpOnly en las cookies y obtengan información sensible aprovechando la validación incorrecta del nombre de la cookie y los caracteres del valor. • http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html http://www.openwall.com/lists/oss-security/2015/05/17/1 http://www.securityfocus.com/bid/74704 https://bugzilla.redhat.com/show_bug.cgi?id=1222923 https://github.com/netty/netty/pull/3754 https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d • CWE-20: Improper Input Validation •

CVSS: 7.8EPSS: 1%CPEs: 5EXPL: 0

CVE-2016-4970 – netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl

https://notcve.org/view.php?id=CVE-2016-4970

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop). handler/ssl/OpenSslEngine.java en Netty 4.0.x en versiones anteriores a 4.0.37.Final y 4.1.x en versiones anteriores a 4.1.1.Final permite a los atacantes remotos provocar una denegación de servicio (bucle infinito). • http://netty.io/news/2016/06/07/4-0-37-Final.html http://netty.io/news/2016/06/07/4-1-1-Final.html http://rhn.redhat.com/errata/RHSA-2017-0179.html http://rhn.redhat.com/errata/RHSA-2017-1097.html http://www.securityfocus.com/bid/96540 https://bugzilla.redhat.com/show_bug.cgi?id=1343616 https://github.com/netty/netty/pull/5364 https://lists.apache.org/thread.html/afaa5860e3a6d327eb96c3d82cbd2f5996de815a16854ed1ad310144%40%3Ccommits.cassandra.apache.org%3E https://wiki • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •

CVSS: 5.0EPSS: 1%CPEs: 15EXPL: 1

CVE-2014-3488

https://notcve.org/view.php?id=CVE-2014-3488

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message. SslHandler en Netty anterior a 3.9.2 permite a atacantes remotos causar una denegación de servicio (bucle infinito y consumo de CPU) a través de un mensaje SSLv2Hello manipulado. • http://netty.io/news/2014/06/11/3-9-2-Final.html http://secunia.com/advisories/59196 https://github.com/netty/netty/commit/2fa9400a59d0563a66908aba55c41e7285a04994 https://github.com/netty/netty/issues/2562 https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •