io.netty:netty-all 4.0.45.Final vulnerabilities

Known vulnerabilities in the io.netty:netty-all package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H HTTP Request Smuggling io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling. It allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax or as an "invalid fold." How to fix HTTP Request Smuggling? Upgrade `io.netty:netty-all` to version 4.1.44.Final or higher.	[,4.1.44.Final)
H HTTP Request Smuggling io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling due to the package mishandling Transfer-Encoding whitespace (such as a `[space]Transfer-Encoding:chunked` line) and a later Content-Length header when using `HTTP/1.1`. This issue exists because of an incomplete fix for CVE-2019-16869. NOTE: This vulnerability has also been identified as: CVE-2020-7238 How to fix HTTP Request Smuggling? Upgrade `io.netty:netty-all` to version 4.1.44.Final or higher.	[,4.1.44.Final)
H HTTP Request Smuggling io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling due to the package mishandling Transfer-Encoding whitespace (such as a `[space]Transfer-Encoding:chunked` line) and a later Content-Length header when using `HTTP/1.1`. This issue exists because of an incomplete fix for CVE-2019-16869. NOTE: This vulnerability has also been identified as: CVE-2019-20445 How to fix HTTP Request Smuggling? Upgrade `io.netty:netty-all` to version 4.1.44.Final or higher.	[,4.1.44.Final)
M HTTP Request Smuggling io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling. Netty mishandles whitespace before the colon in HTTP headers such as a `Transfer-Encoding : chunked` line. This can lead to HTTP request smuggling where an attacker can bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users. Note: `io.netty:netty` is deprecated. Users should update to `io.netty:netty-all` How to fix HTTP Request Smuggling? Upgrade `io.netty:netty-all` to version 4.1.42.Final or higher.	[,4.1.42.Final)

Vulnerability

Vulnerable Version

HTTP Request Smuggling

io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling. It allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax or as an "invalid fold."

How to fix HTTP Request Smuggling?

Upgrade io.netty:netty-all to version 4.1.44.Final or higher.

[,4.1.44.Final)

HTTP Request Smuggling

io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to the package mishandling Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header when using HTTP/1.1. This issue exists because of an incomplete fix for CVE-2019-16869.

NOTE: This vulnerability has also been identified as: CVE-2020-7238

How to fix HTTP Request Smuggling?

Upgrade io.netty:netty-all to version 4.1.44.Final or higher.

[,4.1.44.Final)

HTTP Request Smuggling

io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

NOTE: This vulnerability has also been identified as: CVE-2019-20445

How to fix HTTP Request Smuggling?

Upgrade io.netty:netty-all to version 4.1.44.Final or higher.

[,4.1.44.Final)

HTTP Request Smuggling

io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling. Netty mishandles whitespace before the colon in HTTP headers such as a Transfer-Encoding : chunked line. This can lead to HTTP request smuggling where an attacker can bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.

Note:

io.netty:netty is deprecated. Users should update to io.netty:netty-all

How to fix HTTP Request Smuggling?

Upgrade io.netty:netty-all to version 4.1.42.Final or higher.

[,4.1.42.Final)

io.netty:netty-all@4.0.45.Final vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?