Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: io.netty:netty-all
- Introduced through: io.netty:netty-all@4.1.42.Final
Detailed paths
-
Introduced through: ferrybig/teamspeak-query@ferrybig/teamspeak-query#606500dd440bbfac69fcd37bbc1e6b46ff2982c8 › io.netty:netty-all@4.1.42.FinalRemediation: Upgrade to io.netty:netty-all@4.1.44.Final.
Overview
io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.
Affected versions of this package are vulnerable to HTTP Request Smuggling. It allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax or as an "invalid fold."
Remediation
Upgrade io.netty:netty-all
to version 4.1.44.Final or higher.
References
high severity
- Vulnerable module: io.netty:netty-all
- Introduced through: io.netty:netty-all@4.1.42.Final
Detailed paths
-
Introduced through: ferrybig/teamspeak-query@ferrybig/teamspeak-query#606500dd440bbfac69fcd37bbc1e6b46ff2982c8 › io.netty:netty-all@4.1.42.FinalRemediation: Upgrade to io.netty:netty-all@4.1.44.Final.
Overview
io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.
Affected versions of this package are vulnerable to HTTP Request Smuggling due to the package mishandling Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked
line) and a later Content-Length header when using HTTP/1.1
. This issue exists because of an incomplete fix for CVE-2019-16869.
NOTE: This vulnerability has also been identified as: CVE-2019-20445
Remediation
Upgrade io.netty:netty-all
to version 4.1.44.Final or higher.
References
high severity
- Vulnerable module: io.netty:netty-all
- Introduced through: io.netty:netty-all@4.1.42.Final
Detailed paths
-
Introduced through: ferrybig/teamspeak-query@ferrybig/teamspeak-query#606500dd440bbfac69fcd37bbc1e6b46ff2982c8 › io.netty:netty-all@4.1.42.FinalRemediation: Upgrade to io.netty:netty-all@4.1.44.Final.
Overview
io.netty:netty-all is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.
Affected versions of this package are vulnerable to HTTP Request Smuggling due to the package mishandling Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked
line) and a later Content-Length header when using HTTP/1.1
. This issue exists because of an incomplete fix for CVE-2019-16869.
NOTE: This vulnerability has also been identified as: CVE-2020-7238
Remediation
Upgrade io.netty:netty-all
to version 4.1.44.Final or higher.