// For flags

CVE-2020-7238

netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

Netty versión 4.1.43.Final, permite el tráfico no autorizado de peticiones HTTP porque maneja inapropiadamente el espacio en blanco de Transfer-Encoding (tal y como una línea [space]Transfer-Encoding:chunked) y un encabezado Content-Length posterior. Este problema existe debido a una corrección incompleta para el CVE-2019-16869.

A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling.

Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. This release of Red Hat Decision Manager 7.8.0 serves as an update to Red Hat Decision Manager 7.7.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include HTTP request smuggling and cross site scripting vulnerabilities.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-01-20 CVE Reserved
  • 2020-01-27 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • 2025-04-25 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
References (20)
URL Tag Source
https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7%40%3Ccommits.cassandra.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05%40%3Ccommits.cassandra.apache.org%3E Mailing List
https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html Mailing List
https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html Mailing List
https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html Mailing List
URL Date SRC
https://github.com/jdordonezn/CVE-2020-72381/issues/1 2024-08-04
URL Date SRC
URL Date SRC
https://access.redhat.com/errata/RHSA-2020:0497 2023-11-07
https://access.redhat.com/errata/RHSA-2020:0567 2023-11-07
https://access.redhat.com/errata/RHSA-2020:0601 2023-11-07
https://access.redhat.com/errata/RHSA-2020:0605 2023-11-07
https://access.redhat.com/errata/RHSA-2020:0606 2023-11-07
https://access.redhat.com/errata/RHSA-2020:0804 2023-11-07
https://access.redhat.com/errata/RHSA-2020:0805 2023-11-07
https://access.redhat.com/errata/RHSA-2020:0806 2023-11-07
https://access.redhat.com/errata/RHSA-2020:0811 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46 2023-11-07
https://netty.io/news 2023-11-07
https://www.debian.org/security/2021/dsa-4885 2023-11-07
https://access.redhat.com/security/cve/CVE-2020-7238 2024-11-25
https://bugzilla.redhat.com/show_bug.cgi?id=1796225 2024-11-25
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Netty
Search vendor "Netty"
 Netty
Search vendor "Netty" for product "Netty"
 4.1.43
Search vendor "Netty" for product "Netty" and version "4.1.43"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 33
Search vendor "Fedoraproject" for product "Fedora" and version "33"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
 7.2
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2"
-
Affected
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
 7.3
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3"
-
Affected
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
 7.4
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.4"
-
Affected
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform Text-only Advisories
Search vendor "Redhat" for product "Jboss Enterprise Application Platform Text-only Advisories"
--
Affected
Redhat
Search vendor "Redhat"
 Openshift Application Runtimes Text-only Advisories
Search vendor "Redhat" for product "Openshift Application Runtimes Text-only Advisories"
--
Affected