CVE-2021-21409 (CNNVD-202103-1685)

MEDIUM
中文标题:
Netty 环境问题漏洞
英文标题:
Possible request smuggling in HTTP/2 due missing validation of content-length
CVSS分数: 5.9
发布时间: 2021-03-30 15:05:17
漏洞类型: 环境问题
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v3
漏洞描述
中文描述:

Netty是Netty社区的一款非阻塞I/O客户端-服务器框架,它主要用于开发Java网络应用程序,如协议服务器和客户端等。 Netty 存在环境问题漏洞,该漏洞导致请求走私。

英文描述:

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CWE类型:
CWE-444
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
netty netty < 4.1.61.Final - - cpe:2.3:a:netty:netty:<_4.1.61.final:*:*:*:*:*:*:*
netty netty * - - cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
debian debian_linux 10.0 - - cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
netapp oncommand_api_services - - - cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*
netapp oncommand_workflow_automation - - - cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
oracle banking_corporate_lending_process_management 14.2.0 - - cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
oracle banking_corporate_lending_process_management 14.3.0 - - cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
oracle banking_corporate_lending_process_management 14.5.0 - - cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
oracle banking_credit_facilities_process_management 14.2.0 - - cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
oracle banking_credit_facilities_process_management 14.3.0 - - cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
oracle banking_credit_facilities_process_management 14.5.0 - - cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
oracle banking_trade_finance_process_management 14.2.0 - - cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*
oracle banking_trade_finance_process_management 14.3.0 - - cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*
oracle banking_trade_finance_process_management 14.5.0 - - cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
oracle coherence 12.2.1.4.0 - - cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*
oracle coherence 14.1.1.0.0 - - cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*
oracle communications_brm_-_elastic_charging_engine 12.0.0.3 - - cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*
oracle communications_cloud_native_core_console 1.7.0 - - cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:*:*:*:*:*:*:*
oracle communications_cloud_native_core_policy 1.14.0 - - cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
oracle communications_design_studio 7.4.2.0.0 - - cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:*
oracle communications_messaging_server 8.1 - - cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
oracle helidon 1.4.10 - - cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*
oracle helidon 2.4.0 - - cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*
oracle jd_edwards_enterpriseone_tools * - - cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
oracle nosql_database * - - cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*
oracle primavera_gateway * - - cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
quarkus quarkus * - - cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
DSA-4885 vendor-advisory
cve.org
访问
[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409 mailing-list
cve.org
访问
[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409 mailing-list
cve.org
访问
[pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409 mailing-list
cve.org
访问
[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx mailing-list
cve.org
访问
[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx mailing-list
cve.org
访问
[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx mailing-list
cve.org
访问
[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx mailing-list
cve.org
访问
[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher mailing-list
cve.org
访问
[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx mailing-list
cve.org
访问
[zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5 mailing-list
cve.org
访问
[zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5 mailing-list
cve.org
访问
[zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5 mailing-list
cve.org
访问
[zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5 mailing-list
cve.org
访问
[zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5 mailing-list
cve.org
访问
[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx mailing-list
cve.org
访问
[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx mailing-list
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
[zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 mailing-list
cve.org
访问
[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 mailing-list
cve.org
访问
[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 mailing-list
cve.org
访问
[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 mailing-list
cve.org
访问
[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 mailing-list
cve.org
访问
[zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409 mailing-list
cve.org
访问
[zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409 mailing-list
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0 mailing-list
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
CVSS评分详情
3.1 (cna)
MEDIUM
5.9
CVSS向量: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
机密性
NONE
完整性
HIGH
可用性
NONE
时间信息
发布时间:
2021-03-30 15:05:17
修改时间:
2024-08-03 18:09:16
创建时间:
2025-11-11 15:36:37
更新时间:
2025-11-11 15:56:39
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2021-21409 2025-11-11 15:20:48 2025-11-11 07:36:37
NVD nvd_CVE-2021-21409 2025-11-11 14:57:35 2025-11-11 07:44:58
CNNVD cnnvd_CNNVD-202103-1685 2025-11-11 15:10:36 2025-11-11 07:56:39
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2025-11-11 15:56:39
vulnerability_type: 未提取 → 环境问题; cnnvd_id: 未提取 → CNNVD-202103-1685; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 环境问题
  • cnnvd_id: 未提取 -> CNNVD-202103-1685
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:44:58
affected_products_count: 1 → 27; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • affected_products_count: 1 -> 27
  • data_sources: ['cve'] -> ['cve', 'nvd']