CVE-2021-43797
MEDIUM
Published Dec 9, 20214y ago · Modified Jun 17, 20261w ago
6.5 CVSS 3.1
Published Dec 9, 2021 4y ago
Last Modified Jun 17, 2026 1w ago
Description
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity High
Availability None
Threat Intelligence
No active exploitation signals — not in CISA KEV and no EPSS score yet.
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-444
Affected Products 22
| Vendor | Product | Version | Range |
|---|---|---|---|
| netty | netty | * | <4.1.71 |
| quarkus | quarkus | * | <2.5.3 |
| netapp | oncommand_workflow_automation | * | any |
| netapp | snapcenter | * | any |
| oracle | banking_deposits_and_lines_of_credit_servicing | 2.7 | any |
| oracle | banking_party_management | 2.7.0 | any |
| oracle | banking_platform | 2.6.2 | any |
| oracle | coherence | 12.2.1.4.0 | any |
| oracle | coherence | 14.1.1.0.0 | any |
| oracle | communications_cloud_native_core_binding_support_function | 1.11.0 | any |
| oracle | communications_cloud_native_core_network_slice_selection_function | 1.8.0 | any |
| oracle | communications_cloud_native_core_policy | 1.15.0 | any |
| oracle | communications_cloud_native_core_security_edge_protection_proxy | 1.7.0 | any |
| oracle | communications_cloud_native_core_unified_data_repository | 1.15.0 | any |
| oracle | communications_design_studio | 7.4.2 | any |
| oracle | communications_instant_messaging_server | 8.1 | any |
| oracle | helidon | 1.4.10 | any |
| oracle | helidon | 2.4.0 | any |
| oracle | peoplesoft_enterprise_peopletools | 8.58 | any |
| oracle | peoplesoft_enterprise_peopletools | 8.59 | any |
| debian | debian_linux | 10.0 | any |
| debian | debian_linux | 11.0 | any |
References 7
- github.com https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
- github.com https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
- lists.debian.org https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
- security.netapp.com https://security.netapp.com/advisory/ntap-20220107-0003/
- debian.org https://www.debian.org/security/2023/dsa-5316
- oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
- oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
Remediation
- github.com https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
- oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
- oracle.com https://www.oracle.com/security-alerts/cpujul2022.html