CVE-2020-7238
Summary
| CVE | CVE-2020-7238 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-01-27 17:15:00 UTC |
| Updated | 2023-11-07 03:25:00 UTC |
| Description | Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. |
Risk And Classification
Problem Types: CWE-444
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Application | Netty | Netty | 4.1.43 | All | All | All |
| Application | Netty | Netty | 4.1.43 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.2 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.3 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.4 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform Text-only Advisories | - | All | All | All |
| Application | Redhat | Openshift Application Runtimes Text-only Advisories | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 33 Update: netty-4.1.51-1.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Debian -- Security Information -- DSA-4885-1 netty | DEBIAN | www.debian.org | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Pony Mail! | lists.apache.org | ||
| [SECURITY] [DLA 2109-1] netty security update | MLIST | lists.debian.org | |
| [SECURITY] [DLA 2364-1] netty security update | MLIST | lists.debian.org | |
| [SECURITY] Fedora 33 Update: netty-4.1.51-1.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Netty.news: All news items | MISC | netty.io | Vendor Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| [SECURITY] [DLA 2110-1] netty-3.9 security update | MLIST | lists.debian.org | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| HTTP Request Smuggling in Netty - 4.1.43.Final · Issue #1 · jdordonezn/CVE-2020-72381 · GitHub | MISC | github.com | Exploit, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 178527 Debian Security Update for netty (DSA 4885-1)
- 20269 IBM DB2 Multiple Vulnerabilities (6466365)
- 238742 Red Hat Update for Satellite 6.8 release (RHSA-2020:4366)
- 691024 Free Berkeley Software Distribution (FreeBSD) Security Update for cassandra3 (53caf29b-9180-11ed-acbe-b42e991fc52e)
- 981586 Java (maven) Security Update for io.netty:netty-handler (GHSA-ff2w-cq2g-wv5f)