CVE-2021-21409
Published Mar 30, 2021
Last updated a year ago
Overview
- Description
- Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
- Source
- security-advisories@github.com
- NVD status
- Modified
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 5.9
- Impact score
- 3.6
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
- Severity
- MEDIUM
CVSS 2.0
- Type
- Primary
- Base score
- 4.3
- Impact score
- 2.9
- Exploitability score
- 8.6
- Vector string
- AV:N/AC:M/Au:N/C:N/I:P/A:N
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "BC283248-0EB5-46CA-A68C-4FF004D606F8",
"versionEndExcluding": "4.1.61"
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5EC98B22-FFAA-4B59-8E63-EBAA4336AD13"
},
{
"criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3"
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "0CF9A061-2421-426D-9854-0A4E55B2961D"
},
{
"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F95EDC3D-54BB-48F9-82F2-7CCF335FCA78"
},
{
"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B72B735F-4E52-484A-9C2C-23E6E2070385"
},
{
"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8B36A1D4-F391-4EE3-9A65-0A10568795BA"
},
{
"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "55116032-AAD1-4FEA-9DA8-2C4CBD3D3F61"
},
{
"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "0275F820-40BE-47B8-B167-815A55DF578E"
},
{
"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9E14324D-B9EE-4C06-ACC7-255189ED6300"
},
{
"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "CBEBB60F-6EAB-4AE5-B777-5044C657FBA8"
},
{
"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B185C1EA-71E6-4972-8637-08A33CC00841"
},
{
"criteria": "cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "2FF57C7A-92C9-4D71-A7B1-CC9DEFAA8193"
},
{
"criteria": "cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5FA64A1D-34F9-4441-857A-25C165E6DBB6"
},
{
"criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "06594847-96ED-4541-B2F4-C7331B603603"
},
{
"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "BC12B43F-30F6-4B05-AB3A-E91D8404D5A5"
},
{
"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4479F76A-4B67-41CC-98C7-C76B81050F8E"
},
{
"criteria": "cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "040DA31B-2A0C-46F6-8EDF-9B88F9FB0F48"
},
{
"criteria": "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E1214FDF-357A-4BB9-BADE-50FB2BD16D10"
},
{
"criteria": "cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4E7626D2-D9FF-416A-9581-852CED0D8C24"
},
{
"criteria": "cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "99344A5D-F4B7-49B4-9AE6-0E2FB3874EA5"
},
{
"criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "BE34D4F7-5C18-4578-8D0A-722FDF931333",
"versionEndExcluding": "9.2.6.3"
},
{
"criteria": "cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7167D144-C4AE-487F-B59A-888E10EA59DF",
"versionEndExcluding": "21.1.12"
},
{
"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8B1C88FD-C2EC-4C96-AC7E-6F95C8763B48",
"versionEndIncluding": "17.12.11",
"versionStartIncluding": "17.12.0"
},
{
"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "53E2276C-9515-46F6-A621-213A3047B9A6",
"versionEndIncluding": "18.8.11",
"versionStartIncluding": "18.8.0"
},
{
"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3EF7E2B4-B741-41E9-8EF6-6C415AB9EF54",
"versionEndIncluding": "19.12.10",
"versionStartIncluding": "19.12.0"
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "64839EBF-078E-492A-897C-9AFFB7678ED8",
"versionEndIncluding": "1.13.7"
}
],
"operator": "OR"
}
]
}
]