Overview
About vulnerability
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, theio.netty.handler.codec.http.HttpRequestEncoder has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when HttpRequestEncoder is used without proper sanitization of the URI. Any application / framework using HttpRequestEncoder can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
Details
- Affected product:
- Apache ActiveMQ , Apache Hadoop , Apache Hive , Apache Kafka , Apache Lucene , Apache Spark , Eclipse Jetty , Netty , Spring , accumulo , agepredictor , artemis , async-http-client , avro , aws-sdk-java , azure-sdk-for-java , bolt-connection-java , bookkeeper-common-allocator , cassandra-driver-core , cassandra-java-driver , couchbase-jvm-clients , cxf , druid , elasticsearch , flume-ng-sdk , grpc-netty , hbase , http-client , infinispan , java-driver , lettuce , lettuce-core , littleproxy , logging-flume , logging-log4j2 , neo4j-bolt-connection-netty , neo4j-java-driver , neo4j-ogm , netty , pulsar , pulsar-client-all , rabbitmq-stream-java-client , rsocket-java , solr , sonatype-aether , tika , wildfly , zookeeper
- Affected packages:
- spring-boot-security-test-web-helloworld @ 1.5.22.RELEASE (+7080 more)
io.netty.handler.codec.http.HttpRequestEncoder has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when HttpRequestEncoder is used without proper sanitization of the URI. Any application / framework using HttpRequestEncoder can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.