CGA-2vx5-qv6g-67jq

Published

Last updated

https://images.chainguard.dev/security/CGA-2vx5-qv6g-67jq

Package

druid

Latest Update

Not affected

Aliases

CVE-2021-43797
GHSA-wx5j-54mm-rqqq

Severity

6.5

Medium

CVSS V3

Summary

HTTP request smuggling in netty

Description

Impact

Netty currently just skips control chars when these are present at the beginning / end of the header name. We should better fail fast as these are not allowed by the spec and could lead to HTTP request smuggling.

Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore and so not do the validation itself.

References

https://nvd.nist.gov/vuln/detail/CVE-2021-43797
https://github.com/advisories/GHSA-wx5j-54mm-rqqq
https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
https://github.com/netty/netty/pull/11891
https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
https://github.com/netty/netty
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
https://security.netapp.com/advisory/ntap-20220107-0003
https://www.debian.org/security/2023/dsa-5316
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CGA-2vx5-qv6g-67jq

Severity

Summary

Description

Impact

References

Updates

Product

Why Chainguard

Customers

Company

Resources