CVE-2021-21409

Published Mar 30, 2021

Last updated a year ago

CVSS medium 5.9

Overview

Description: Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
Source: security-advisories@github.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 5.9
Impact score: 3.6
Exploitability score: 2.2
Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: MEDIUM

CVSS 2.0

Type: Primary
Base score: 4.3
Impact score: 2.9
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:N/I:P/A:N

Weaknesses

security-advisories@github.com: CWE-444
nvd@nist.gov: CWE-444

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BC283248-0EB5-46CA-A68C-4FF004D606F8",
            "versionEndExcluding": "4.1.61"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5EC98B22-FFAA-4B59-8E63-EBAA4336AD13"
          },
          {
            "criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0CF9A061-2421-426D-9854-0A4E55B2961D"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F95EDC3D-54BB-48F9-82F2-7CCF335FCA78"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B72B735F-4E52-484A-9C2C-23E6E2070385"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8B36A1D4-F391-4EE3-9A65-0A10568795BA"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "55116032-AAD1-4FEA-9DA8-2C4CBD3D3F61"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0275F820-40BE-47B8-B167-815A55DF578E"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9E14324D-B9EE-4C06-ACC7-255189ED6300"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CBEBB60F-6EAB-4AE5-B777-5044C657FBA8"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B185C1EA-71E6-4972-8637-08A33CC00841"
          },
          {
            "criteria": "cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2FF57C7A-92C9-4D71-A7B1-CC9DEFAA8193"
          },
          {
            "criteria": "cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5FA64A1D-34F9-4441-857A-25C165E6DBB6"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "06594847-96ED-4541-B2F4-C7331B603603"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BC12B43F-30F6-4B05-AB3A-E91D8404D5A5"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4479F76A-4B67-41CC-98C7-C76B81050F8E"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "040DA31B-2A0C-46F6-8EDF-9B88F9FB0F48"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E1214FDF-357A-4BB9-BADE-50FB2BD16D10"
          },
          {
            "criteria": "cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4E7626D2-D9FF-416A-9581-852CED0D8C24"
          },
          {
            "criteria": "cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "99344A5D-F4B7-49B4-9AE6-0E2FB3874EA5"
          },
          {
            "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BE34D4F7-5C18-4578-8D0A-722FDF931333",
            "versionEndExcluding": "9.2.6.3"
          },
          {
            "criteria": "cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7167D144-C4AE-487F-B59A-888E10EA59DF",
            "versionEndExcluding": "21.1.12"
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8B1C88FD-C2EC-4C96-AC7E-6F95C8763B48",
            "versionEndIncluding": "17.12.11",
            "versionStartIncluding": "17.12.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "53E2276C-9515-46F6-A621-213A3047B9A6",
            "versionEndIncluding": "18.8.11",
            "versionStartIncluding": "18.8.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3EF7E2B4-B741-41E9-8EF6-6C415AB9EF54",
            "versionEndIncluding": "19.12.10",
            "versionStartIncluding": "19.12.0"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "64839EBF-078E-492A-897C-9AFFB7678ED8",
            "versionEndIncluding": "1.13.7"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References