io.netty:netty-all@4.0.0.CR6 vulnerabilities

  • latest version

    4.1.115.Final

  • latest non vulnerable version

  • first published

    11 years ago

  • latest version published

    1 months ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the io.netty:netty-all package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    HTTP Request Smuggling

    io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

    Affected versions of this package are vulnerable to HTTP Request Smuggling. It allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax or as an "invalid fold."

    How to fix HTTP Request Smuggling?

    Upgrade io.netty:netty-all to version 4.1.44.Final or higher.

    [,4.1.44.Final)
    • H
    HTTP Request Smuggling

    io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

    Affected versions of this package are vulnerable to HTTP Request Smuggling due to the package mishandling Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header when using HTTP/1.1. This issue exists because of an incomplete fix for CVE-2019-16869.

    NOTE: This vulnerability has also been identified as: CVE-2020-7238

    How to fix HTTP Request Smuggling?

    Upgrade io.netty:netty-all to version 4.1.44.Final or higher.

    [,4.1.44.Final)
    • H
    HTTP Request Smuggling

    io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

    Affected versions of this package are vulnerable to HTTP Request Smuggling due to the package mishandling Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header when using HTTP/1.1. This issue exists because of an incomplete fix for CVE-2019-16869.

    NOTE: This vulnerability has also been identified as: CVE-2019-20445

    How to fix HTTP Request Smuggling?

    Upgrade io.netty:netty-all to version 4.1.44.Final or higher.

    [,4.1.44.Final)
    • M
    HTTP Request Smuggling

    io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

    Affected versions of this package are vulnerable to HTTP Request Smuggling. Netty mishandles whitespace before the colon in HTTP headers such as a Transfer-Encoding : chunked line. This can lead to HTTP request smuggling where an attacker can bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.

    Note:

    io.netty:netty is deprecated. Users should update to io.netty:netty-all

    How to fix HTTP Request Smuggling?

    Upgrade io.netty:netty-all to version 4.1.42.Final or higher.

    [,4.1.42.Final)