[jira] [Commented] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5

Fri, 24 Sep 2021 07:16:34 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-15417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17419803#comment-17419803
 ] 

Stefan Miklosovic commented on CASSANDRA-15417:
-----------------------------------------------

I do not think we are using HTTP in Cassandra and I do not think this is 
relevant.

> CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5
> -----------------------------------------------------------------------------
>
>                 Key: CASSANDRA-15417
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15417
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Abhishek Singh
>            Priority: Normal
>
> *Description :*
> *Severity :* CVE CVSS 3: 7.5Sonatype CVSS 3: 7.5
> *Weakness :* CVE CWE: 444
> *Source :* National Vulnerability Database
> *Categories :* Data
> *Description from CVE :* Netty before 4.1.42.Final mishandles whitespace 
> before the colon in HTTP headers , which leads to HTTP request smuggling.
> *Explanation :* Netty is vulnerable to HTTP Request Smuggling. The 
> splitHeader method in HttpObjectDecoder.class does not properly handle HTTP 
> headers containing whitespace between the header field-name and colon. An 
> attacker can exploit this by sending such a header containing this white 
> space and have the header end up being parsed by one endpoint and not 
> another, due to inconsistencies in how the whitespace in the header is 
> handled.
> *Detection :* The application is vulnerable by using this component.
> *Recommendation :* We recommend upgrading to a version of this component that 
> is not vulnerable to this specific issue.
> *Root Cause :* 
> apache-cassandra-3.11.4-bin.tar.gzio/netty/handler/codec/http/HttpObjectDecoder.class
>  : [4.0.0.Beta1, 4.1.42.Final]
> *Advisories :* Project: [https://github.com/netty/netty/issues/9571]
> *CVSS Details :* CVE CVSS 3: 7.5CVSS Vector: 
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
> *Occurences (Paths) :* ["apache-cassandra.zip" ; "apache-cassandra.zip"]
> *CVE :* CVE-2019-16869
> *URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869]
> *Remediation :* This component does not have any non-vulnerable Version. 
> Please contact the vendor to get this vulnerability fixed.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to