ubuntu-cve-2021-43797
Vulnerability from osv_ubuntu
Published
2021-12-09 19:15
Modified
2026-06-08 16:09
Summary
Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
Severity
6.5 (Medium)
6.5 (Medium)
N/A (UNKNOWN)
References
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libnetty-java",
"binary_version": "1:3.2.6.Final-2+deb8u2ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "netty",
"purl": "pkg:deb/ubuntu/netty@1:3.2.6.Final-2+deb8u2ubuntu0.1~esm1?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1:3.2.6.Final-2",
"1:3.2.6.Final-2+deb8u2build0.14.04.1~esm1",
"1:3.2.6.Final-2+deb8u2ubuntu0.1~esm1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libnetty-java",
"binary_version": "1:4.0.34-1ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "netty",
"purl": "pkg:deb/ubuntu/netty@1:4.0.34-1ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:4.0.34-1ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1:3.2.6.Final-2",
"1:4.0.32-1",
"1:4.0.33-1",
"1:4.0.34-1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libnetty-java",
"binary_version": "1:4.1.7-4ubuntu0.1+esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "netty",
"purl": "pkg:deb/ubuntu/netty@1:4.1.7-4ubuntu0.1+esm2?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:4.1.7-4ubuntu0.1+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1:4.1.7-4",
"1:4.1.7-4ubuntu0.1~esm1",
"1:4.1.7-4ubuntu0.1",
"1:4.1.7-4ubuntu0.1+esm1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libnetty-java",
"binary_version": "1:4.1.45-1ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "netty",
"purl": "pkg:deb/ubuntu/netty@1:4.1.45-1ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:4.1.45-1ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1:4.1.33-1",
"1:4.1.33-2",
"1:4.1.33-3",
"1:4.1.45-1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libnetty-java",
"binary_version": "1:4.1.48-4+deb11u1build0.22.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "netty",
"purl": "pkg:deb/ubuntu/netty@1:4.1.48-4+deb11u1build0.22.04.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:4.1.48-4+deb11u1build0.22.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1:4.1.48-4"
]
}
],
"aliases": [],
"details": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can\u0027t see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.",
"id": "UBUNTU-CVE-2021-43797",
"modified": "2026-06-08T16:09:36Z",
"published": "2021-12-09T19:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2021-43797"
},
{
"type": "REPORT",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"
},
{
"type": "REPORT",
"url": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323"
},
{
"type": "REPORT",
"url": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6049-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
}
],
"related": [
"USN-6049-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2021-43797"
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…