Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
https://github.com/netty/netty/issues/9571
https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/09/msg00035.html
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.tinkerpop.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.cassandra.apache.org%3E
https://access.redhat.com/errata/RHSA-2019:3892
https://lists.apache.org/thread.html/[email protected]%3Ccommits.druid.apache.org%3E
https://access.redhat.com/errata/RHSA-2019:3901
https://lists.apache.org/thread.html/[email protected]%3Cdev.olingo.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.olingo.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.olingo.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.olingo.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.olingo.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.olingo.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.spark.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.spark.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.spark.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.spark.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.spark.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.spark.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.spark.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.spark.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.olingo.apache.org%3E
https://www.debian.org/security/2020/dsa-4597
https://seclists.org/bugtraq/2020/Jan/6
https://access.redhat.com/errata/RHSA-2020:0164
https://access.redhat.com/errata/RHSA-2020:0159
https://access.redhat.com/errata/RHSA-2020:0160
https://access.redhat.com/errata/RHSA-2020:0161
https://lists.apache.org/thread.html/[email protected]%3Ccommits.druid.apache.org%3E
https://access.redhat.com/errata/RHSA-2020:0445
https://lists.apache.org/thread.html/[email protected]%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommon-commits.hadoop.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommon-commits.hadoop.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommon-commits.hadoop.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.cassandra.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html
https://lists.apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
https://usn.ubuntu.com/4532-1/
https://lists.apache.org/thread.html/[email protected]%3Ccommits.camel.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.rocketmq.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.rocketmq.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.rocketmq.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.cassandra.apache.org%3E
Source: MITRE
Published: 2019-09-26
Updated: 2022-03-30
Type: CWE-444
Base Score: 5
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Impact Score: 2.9
Exploitability Score: 10
Severity: MEDIUM
Base Score: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Impact Score: 3.6
Exploitability Score: 3.9
Severity: HIGH