CVE-2021-21409
Possible request smuggling in HTTP/2 due missing validation of content-length
In short
Netty's HTTP/2 handler fails to validate the content-length header in certain requests, allowing an attacker to smuggle malicious requests through proxies that translate to HTTP/1.1. This can lead to request interception, cache poisoning, or unauthorized actions.
Technical detail
CVE-2021-21409 is an HTTP request smuggling vulnerability in Netty's HTTP/2 codec where content-length validation is bypassed when a single Http2HeaderFrame has endStream=true. The vulnerability occurs during HTTP/2 to HTTP/1.1 translation in proxies, allowing attackers to inject smuggled requests that are interpreted differently by upstream and downstream systems.
Summary generated and translated by AI from the official description.
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected products
netty · nettyWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpjhttps://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3Ehttps://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E