Advisories for Maven/Io.netty/Netty-Codec-Http package

The HttpPostRequestDecoder can be tricked to accumulate data. I have spotted currently two attack vectors

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an iterator of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator<?>) call, into a remove() call, and call add() in a loop …

This advisory has been marked as a false positive.

This advisory has been marked as False Positive and moved to netty-common.

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to sanitize header names before it …

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and …

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers. There is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing …

HttpObjectDecoder.java in Netty allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an invalid fold.

HttpObjectDecoder.java in Netty allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

Netty allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.

Netty mishandles whitespace before the colon in HTTP headers (such as a Transfer-Encoding : chunked line), which leads to HTTP request smuggling.