CVE-2020-7238

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
References
Link Resource
https://github.com/jdordonezn/CVE-2020-72381/issues/1 Exploit Third Party Advisory
https://netty.io/news/ Vendor Advisory
https://access.redhat.com/errata/RHSA-2020:0497 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html Mailing List Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0601 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0606 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0605 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0567 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0804 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0805 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0811 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0806 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/ Mailing List Third Party Advisory
https://www.debian.org/security/2021/dsa-4885 Third Party Advisory
https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05@%3Ccommits.cassandra.apache.org%3E Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7@%3Ccommits.cassandra.apache.org%3E Mailing List Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:netty:netty:4.1.43:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform_text-only_advisories:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_application_runtimes_text-only_advisories:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*

Information

Published : 2020-01-27 05:15

Updated : 2021-05-27 04:21


NVD link : CVE-2020-7238

Mitre link : CVE-2020-7238

Products Affected
No products.
CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')