CVE-2020-7238 — HIGH (7.5) — White Hats Nepal

Vulnerability Description

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Netty	Netty	4.1.43
Fedoraproject	Fedora	33
Debian	Debian Linux	8.0
Redhat	Jboss Enterprise Application Platform	7.2
Redhat	Jboss Enterprise Application Platform Text-Only Advisories	-
Redhat	Openshift Application Runtimes Text-Only Advisories	-

Related Weaknesses (CWE)

CWE-444

References

https://access.redhat.com/errata/RHSA-2020:0497Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0567Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0601Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0605Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0606Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0804Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0805Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0806Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0811Third Party Advisory
https://github.com/jdordonezn/CVE-2020-72381/issues/1ExploitThird Party Advisory
https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb741449
https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f
https://lists.debian.org/debian-lts-announce/2020/02/msg00017.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00018.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00003.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2020-7238?

CVE-2020-7238 is a vulnerability with a CVSS score of 7.5 (HIGH). Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exis...

How severe is CVE-2020-7238?

CVE-2020-7238 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-7238?

Check the references section above for vendor advisories and patch information. Affected products include: Netty Netty, Fedoraproject Fedora, Debian Debian Linux, Redhat Jboss Enterprise Application Platform, Redhat Jboss Enterprise Application Platform Text-Only Advisories.