PT-2019-6158 · Netty+2 · Netty+2

Phunt

·

Published

2019-12-09

·

Updated

2024-09-06

·

CVE-2019-20445

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.44
Description The issue is related to a flaw in the interpretation of HTTP requests in the HttpObjectDecoder.java component of the Netty network programming tool. This flaw can be exploited by a remote attacker to access and compromise confidential data. The vulnerability allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
Recommendations For versions prior to 4.1.44, update to version 4.1.44 or later to resolve the issue. As a temporary workaround, consider restricting access to the HttpObjectDecoder.java component until a patch is applied. Avoid using the Content-Length header in conjunction with the Transfer-Encoding header in the affected API endpoint until the issue is resolved.

Exploit

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

BDU:2022-00314
CVE-2019-20445
DLA-2109-1
DLA-2110-1
DLA-2364-1
DLA-2365-1
DSA-4885-1
GHSA-P2V9-G2QV-P635
OESA-2024-2066
OESA-2024-2067
OESA-2024-2068
OESA-2024-2069
OESA-2024-2103
RHSA-2020:0601
RHSA-2020:0605
RHSA-2020:0804
RHSA-2020:0805
RHSA-2020:0806
RHSA-2024:5856
USN-4532-1
USN-4600-1
USN-4600-2

Affected Products

Astra Linux
Netty
Ubuntu