// For flags

CVE-2021-43797

HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

Netty es un marco de trabajo de aplicaciones de red asíncronas impulsadas por eventos para el desarrollo rápido de servidores y clientes de protocolo de alto rendimiento mantenibles. Netty antes de la versión 4.1.71.Final omite los caracteres de control cuando están presentes al principio/fin del nombre de la cabecera. En su lugar, debería fallar rápidamente ya que estos no están permitidos por la especificación y podrían llevar a un contrabando de peticiones HTTP. No hacer la validación podría causar que netty "sanee" los nombres de las cabeceras antes de reenviarlas a otro sistema remoto cuando se usa como proxy. Este sistema remoto ya no puede ver el uso inválido, y por lo tanto no hace la validación por sí mismo. Los usuarios deben actualizar a la versión 4.1.71.Final

A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-11-16 CVE Reserved
  • 2021-12-09 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-10-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Netty
Search vendor "Netty"
Netty
Search vendor "Netty" for product "Netty"
< 4.1.71
Search vendor "Netty" for product "Netty" and version " < 4.1.71"
-
Affected
Quarkus
Search vendor "Quarkus"
Quarkus
Search vendor "Quarkus" for product "Quarkus"
< 2.5.3
Search vendor "Quarkus" for product "Quarkus" and version " < 2.5.3"
-
Affected
Netapp
Search vendor "Netapp"
Oncommand Workflow Automation
Search vendor "Netapp" for product "Oncommand Workflow Automation"
--
Affected
Netapp
Search vendor "Netapp"
Snapcenter
Search vendor "Netapp" for product "Snapcenter"
--
Affected
Oracle
Search vendor "Oracle"
Banking Deposits And Lines Of Credit Servicing
Search vendor "Oracle" for product "Banking Deposits And Lines Of Credit Servicing"
2.7
Search vendor "Oracle" for product "Banking Deposits And Lines Of Credit Servicing" and version "2.7"
-
Affected
Oracle
Search vendor "Oracle"
Banking Party Management
Search vendor "Oracle" for product "Banking Party Management"
2.7.0
Search vendor "Oracle" for product "Banking Party Management" and version "2.7.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.6.2
Search vendor "Oracle" for product "Banking Platform" and version "2.6.2"
-
Affected
Oracle
Search vendor "Oracle"
Coherence
Search vendor "Oracle" for product "Coherence"
12.2.1.4.0
Search vendor "Oracle" for product "Coherence" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Coherence
Search vendor "Oracle" for product "Coherence"
14.1.1.0.0
Search vendor "Oracle" for product "Coherence" and version "14.1.1.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Binding Support Function
Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function"
1.11.0
Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function" and version "1.11.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Network Slice Selection Function
Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function"
1.8.0
Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "1.8.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Policy
Search vendor "Oracle" for product "Communications Cloud Native Core Policy"
1.15.0
Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.15.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Security Edge Protection Proxy
Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy"
1.7.0
Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" and version "1.7.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Unified Data Repository
Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository"
1.15.0
Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.15.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Design Studio
Search vendor "Oracle" for product "Communications Design Studio"
7.4.2
Search vendor "Oracle" for product "Communications Design Studio" and version "7.4.2"
-
Affected
Oracle
Search vendor "Oracle"
Communications Instant Messaging Server
Search vendor "Oracle" for product "Communications Instant Messaging Server"
8.1
Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "8.1"
-
Affected
Oracle
Search vendor "Oracle"
Helidon
Search vendor "Oracle" for product "Helidon"
1.4.10
Search vendor "Oracle" for product "Helidon" and version "1.4.10"
-
Affected
Oracle
Search vendor "Oracle"
Helidon
Search vendor "Oracle" for product "Helidon"
2.4.0
Search vendor "Oracle" for product "Helidon" and version "2.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.58
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.59
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
11.0
Search vendor "Debian" for product "Debian Linux" and version "11.0"
-
Affected