swagger-codegen icon indicating copy to clipboard operation
swagger-codegen copied to clipboard

Published 20 hours ago verified publisher icon swagger-api

CVE-2019-16869 (High) detected in netty-codec-http-4.0.42.Final.jar, netty-codec-http-4.1.8.Final.jar

Open mend-for-github-com[bot] opened this issue 3 years ago • 0 comments

CVE-2019-16869 - High Severity Vulnerability

Vulnerable Libraries - netty-codec-http-4.0.42.Final.jar, netty-codec-http-4.1.8.Final.jar

netty-codec-http-4.0.42.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /samples/client/petstore/java/retrofit2-play25/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.0.42.Final/70a96479b6f4110d5f4a4003413e5bf758393e5f/netty-codec-http-4.0.42.Final.jar

Dependency Hierarchy:

  • play-java-ws_2.11-2.5.14.jar (Root Library)
    • async-http-client-2.0.24.jar
      • :x: netty-codec-http-4.0.42.Final.jar (Vulnerable Library)
netty-codec-http-4.1.8.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /samples/client/petstore/java/vertx/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.8.Final/1e88617c4a6c88da7e86fdbbd9494d22a250c879/netty-codec-http-4.1.8.Final.jar

Dependency Hierarchy:

  • vertx-web-client-3.4.2.jar (Root Library)
    • vertx-core-3.4.2.jar
      • :x: netty-codec-http-4.1.8.Final.jar (Vulnerable Library)

Found in HEAD commit: 4b7a8d7d7384aa6a27d6309c35ade0916edae7ed

Found in base branches: 3.0.0, master

Vulnerability Details

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

Publish Date: 2019-09-26

URL: CVE-2019-16869

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869

Release Date: 2019-09-26

Fix Resolution (io.netty:netty-codec-http): 4.1.42.Final

Direct dependency fix Resolution (io.vertx:vertx-web-client): 3.5.0

  • [ ] Check this box to open an automated fix PR

mend-for-github-com[bot] avatar Dec 29 '21 22:12 mend-for-github-com[bot]