CVE-2019-20444

CVSS v2.0

9.4

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.44

Description The issue is related to the HttpObjectDecoder.java component in Netty, which lacks a check for the presence of a colon in HTTP headers. This could lead to incorrect syntax interpretation or be seen as an "invalid fold." The exploitation of this issue might allow a remote attacker to access and compromise confidential data.

Recommendations For versions prior to 4.1.44, update to version 4.1.44 or later to resolve the issue. As a temporary workaround, consider restricting access to the HttpObjectDecoder.java component to minimize the risk of exploitation.

Exploit

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

BDU:2022-00333

CVE-2019-20444

DLA-2109-1

DLA-2110-1

DLA-2364-1

DLA-2365-1

DSA-4885-1

GHSA-CQQJ-4P63-RRMM

OESA-2024-2066

OESA-2024-2067

OESA-2024-2068

OESA-2024-2069

OESA-2024-2103

RHSA-2020:0601

RHSA-2020:0605

RHSA-2020:0804

RHSA-2020:0805

RHSA-2020:0806

RHSA-2024:5856

USN-4532-1

USN-4600-1

USN-4600-2

Affected Products

Astra Linux

Netty

Ubuntu

CVE-2019-20444

Weakness Enumeration

Related Identifiers

Affected Products

References · 163