HTTP Request Smuggling Affecting io.netty:netty-codec-http package, versions [,4.1.42.Final)

Exploit Maturity

Proof of concept
Attack Complexity

Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JAVA-IONETTY-469234
published

26 Sep 2019
disclosed

26 Sep 2019
credit

axeBig

Report a new vulnerability Found a mistake?

Introduced: 26 Sep 2019

CVE-2019-16869 Open this link in a new tab CWE-113 Open this link in a new tab

How to fix?

Upgrade io.netty:netty-codec-http to version 4.1.42.Final or higher.

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling. Netty mishandles whitespace before the colon in HTTP headers such as a Transfer-Encoding : chunked line. This can lead to HTTP request smuggling where an attacker can bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.

HTTP Request Smuggling Affecting io.netty:netty-codec-http package, versions [,4.1.42.Final)

Exploit Maturity

Attack Complexity

snyk-id

published

disclosed

credit

Introduced: 26 Sep 2019

How to fix?

Overview

References