CVE-2019-16869 — HIGH (7.5)

Q: What is CVE-2019-16869?

CVE-2019-16869 is a vulnerability with a CVSS score of 7.5 (HIGH). Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

Q: How severe is CVE-2019-16869?

CVE-2019-16869 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-16869?

Check the references section above for vendor advisories and patch information. Affected products include: Netty Netty, Debian Debian Linux, Canonical Ubuntu Linux, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux.

Vulnerability Description

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Netty	Netty	< 4.1.42
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	18.04
Redhat	Jboss Enterprise Application Platform	7.2
Redhat	Enterprise Linux	6.0

Related Weaknesses (CWE)

CWE-444

References

https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3901Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0159Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0160Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0161Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0164Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0445Third Party Advisory
https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.FinalPatchThird Party Advisory
https://github.com/netty/netty/issues/9571ExploitIssue TrackingPatch
https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-16
https://lists.apache.org/thread.html/0acadfb96176768caac79b404110df62d14d30aa9d5
https://lists.apache.org/thread.html/19fed892608db1efe5a5ce14372137669ff639df020
https://lists.apache.org/thread.html/2494a2ac7f66af6e4646a4937b17972a4ec7cd3c733
https://lists.apache.org/thread.html/2e1cf538b502713c2c42ffa46d81f4688edb5676eb5
https://lists.apache.org/thread.html/35961d1ae00849974353a932b4fef12ebce07454155

FAQ

What is CVE-2019-16869?

CVE-2019-16869 is a vulnerability with a CVSS score of 7.5 (HIGH). Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

How severe is CVE-2019-16869?

CVE-2019-16869 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-16869?

Check the references section above for vendor advisories and patch information. Affected products include: Netty Netty, Debian Debian Linux, Canonical Ubuntu Linux, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux.