Upgrade gnutls to version 3.7.1 or higher.

io.netty:netty-all 4.0.10.Final vulnerabilities

Known vulnerabilities in the io.netty:netty-all package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H HTTP Request Smuggling io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling. It allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax or as an "invalid fold." How to fix HTTP Request Smuggling? Upgrade `io.netty:netty-all` to version 4.1.44.Final or higher.	[,4.1.44.Final)
H HTTP Request Smuggling io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling due to the package mishandling Transfer-Encoding whitespace (such as a `[space]Transfer-Encoding:chunked` line) and a later Content-Length header when using `HTTP/1.1`. This issue exists because of an incomplete fix for CVE-2019-16869. NOTE: This vulnerability has also been identified as: CVE-2020-7238 How to fix HTTP Request Smuggling? Upgrade `io.netty:netty-all` to version 4.1.44.Final or higher.	[,4.1.44.Final)
H HTTP Request Smuggling io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling due to the package mishandling Transfer-Encoding whitespace (such as a `[space]Transfer-Encoding:chunked` line) and a later Content-Length header when using `HTTP/1.1`. This issue exists because of an incomplete fix for CVE-2019-16869. NOTE: This vulnerability has also been identified as: CVE-2019-20445 How to fix HTTP Request Smuggling? Upgrade `io.netty:netty-all` to version 4.1.44.Final or higher.	[,4.1.44.Final)
M HTTP Request Smuggling io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling. Netty mishandles whitespace before the colon in HTTP headers such as a `Transfer-Encoding : chunked` line. This can lead to HTTP request smuggling where an attacker can bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users. Note: `io.netty:netty` is deprecated. Users should update to `io.netty:netty-all` How to fix HTTP Request Smuggling? Upgrade `io.netty:netty-all` to version 4.1.42.Final or higher.	[,4.1.42.Final)
H Information Exposure io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to Information Exposure. It does not validate cookie name and value characters, allowing attackers to potentially bypass the `httpOnly` flag on sensitive cookies. How to fix Information Exposure? Upgrade `io.netty:netty-all` to version 4.0.28.Final, 4.1.0.Beta5 or higher.	[4.0.0.Final,4.0.28.Final)[4.1.0.Beta1,4.1.0.Beta5)

Vulnerability

Vulnerable Version

HTTP Request Smuggling

io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling. It allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax or as an "invalid fold."

How to fix HTTP Request Smuggling?

Upgrade io.netty:netty-all to version 4.1.44.Final or higher.

[,4.1.44.Final)

HTTP Request Smuggling

io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to the package mishandling Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header when using HTTP/1.1. This issue exists because of an incomplete fix for CVE-2019-16869.

NOTE: This vulnerability has also been identified as: CVE-2020-7238

How to fix HTTP Request Smuggling?

Upgrade io.netty:netty-all to version 4.1.44.Final or higher.

[,4.1.44.Final)

HTTP Request Smuggling

io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

NOTE: This vulnerability has also been identified as: CVE-2019-20445

How to fix HTTP Request Smuggling?

Upgrade io.netty:netty-all to version 4.1.44.Final or higher.

[,4.1.44.Final)

HTTP Request Smuggling

io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling. Netty mishandles whitespace before the colon in HTTP headers such as a Transfer-Encoding : chunked line. This can lead to HTTP request smuggling where an attacker can bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.

Note:

io.netty:netty is deprecated. Users should update to io.netty:netty-all

How to fix HTTP Request Smuggling?

Upgrade io.netty:netty-all to version 4.1.42.Final or higher.

[,4.1.42.Final)

Information Exposure

io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to Information Exposure. It does not validate cookie name and value characters, allowing attackers to potentially bypass the httpOnly flag on sensitive cookies.

How to fix Information Exposure?

Upgrade io.netty:netty-all to version 4.0.28.Final, 4.1.0.Beta5 or higher.

[4.0.0.Final,4.0.28.Final)[4.1.0.Beta1,4.1.0.Beta5)

io.netty:netty-all@4.0.10.Final vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?